INPS report to the Data Protection Authority for a Data Breach
(by Dr. Giuseppe Gorga) On 14 May 2020, the national social security institute (INPS) suffered several violations of cyber security protocols on its servers. The incident was reported to the Guarantor for the protection of personal data as required by art. 33 of the GDPR which sets out the themes and methods of reporting.
The violations of personal data to the detriment of INPS resulted in unauthorized access by users to the main site (www.inps.it) with the relative display of personal data belonging to third parties.
This "bang" occurred, due to the great demand of Italian citizens, for the provision of the bonus for the purchase of baby-sitting services (the so-called "Baby Sitting Bonus") and for the request for services to support income , related to the emergency situation from COVID19, provided for by the legislative decree 18/2020.
With regard to this, the institute, in order to guarantee adequate levels of usability of the services and protection from any DDOS attacks, had decided to use a CDN (Content Delivery Network) service, considered "suitable for the management of this service delivery model.
The Leonardo company is also involved and provides system support by forming a "technical table" between INPS, Microsoft and the latter.
In addition to this, the institute will make use of Microsoft's technology offering, in terms of content distribution, based on Akamai technology. All these countermeasures, however, will prove inadequate to deal with the flow of requests.
In the face of the outbreak of the emergency, INSP has drastically opted for a temporary closure of its website. This decision was necessary to optimize the www.inps.it portal and to limit the traffic coming from intermediaries and citizens.
A further protective measure for the Institute, in order to limit the dissemination of personal data, was to create a special violazionedatiGDPR@inps.it box, to allow you to send reports and evidence regarding the data breach.
From the various reports, we have come to understand that the data displayed by third parties mainly concerned personal data, residence and electronic contacts, found by a number of subjects not exceeding 819 people.
In this regard, INPS declared that "taking into account the type of data displayed and in the consideration that the possibility of viewing took place in a completely random and limited way over time by subjects who appear to have no connection and interest with those involved, […] believes that the violation is not such as to represent a high risk for the rights and freedoms of individuals ”.
Not insignificant, the further anomalies that emerged from this analysis even if not directly connected to the portal of the institute, such as, for example, the unauthorized access to personal data which occurred already on March 31, 2020 and anomalies found in the context of the procedure COVID-19 indemnity.
In conclusion, the Privacy Guarantor pursuant to art. 58, par. 2, lett. e) of the Regulations, orders the INPS to communicate, without delay, the violations of the personal data in question to all interested parties involved. Furthermore, INPS is requested to communicate which initiatives have been undertaken in order to resolve the problem and to provide adequately documented feedback pursuant to art. 157 of the Code, within 20 days from the date of receipt of the provision.
This must make us reflect on how our data are always potentially at risk if we do not highlight all possible criticalities in default.