Danish Data Inspectorate has issued a notice to Bergen municipality that a fine of €214,000 (1.6m kroner) may be imposed for violations of the GDPR.
The municipality utilsed a user directory service in its primary schools. However, due to serious failures in the systems security architecutre, unauthorised users could access user names and passwords in the learning platform and in school administration systems. The information accessed by unauthorised users included information about employees and primary school pupils, such as addresses and social security numbers.
The notification is not a final decision, with Bergen municipality having until 22 January to submit a response. The Data Inspectorate has order the municipality to introduce stronger security in the login solution through the use dual-factor authentication using an additional security