Two separate data breaches impacted the PostNord MyPostNord app and were reported to the Norwegian DPA (Datatilsynet) in February and March 2020. The breaches were caused by the fact that unauthorised persons were able to access the profiles of some app users because PostNord, as personal data controller, used phone numbers as the only means of authentication.
In investigating the breaches, Datatilsynet looked into whether PostNord took adequate measures to ensure an appropriate level of security of its app processing as stipulated by Article 32 of the EU GDPR. This Article requires controllers to perform risk assessments as necessary steps to comply with the requirements of the Regulation, which emerged was not performed before the processing of personal data begun. Additionally, Datatilsynet underlined that using mobile phone numbers as sole identifier to access the MyPostNord app could pose problems as regards the principle of confidentiality, according to Article 5 of the EU GDPR, especially when mobile phone numbers could be re-assigned to new owners without the app profiles being consequently updated.
Datatilsynet concluded that PostNord implemented insufficient risk assessments and security measures, and ordered the postal service operator to implement sufficient technical and organisational measures. Find the related press release, in Norwegian, here.