Ferde leaks sensitive information on 528 subscribers
Personal information about customers in the toll roads company Ferde AS has been mistakenly sent to other customers. The Norwegian Data Inspectorate will assess the matter.
– We view this very seriously, says Quality Director of the Regional Toll Roads Company Ferde AS, Ola Johannes Jordal.
Personal information about hundreds of toll subscribers in Ferde was issued to third parties on August 27th. When customer enquiries were to respond to customers who had approached them, not only did they send an electronic reply to each of them – but also the entire data log from 528 toll subscribers who had been in contact with the customer centre in the period from Friday, August 24th to Monday, 27nd August.
A total of 30 customers were involuntary recipients of the missent personal information. In most cases, the information involves customer name and email only. However, 125 pieces of information are of much more sensitive character.
Divorce and Debt Collection
Ferde has reviewed the log for the period and has noted that the following information was issued on the 27th of August:
- One personal ID number.
- 96 Bank accounts.
- 11 cases of Debt Collection
- 17 other cases containing information of the type: disability card, divorce and time and place of passage.
This is revealed in a discrepancy report from Ferde to the Data Inspectorate in September.
Subscribers in all ownership areas of Ferde AS are affected, ie Rogaland, Sogn & Fjordane, Hordaland, West & East Agder.
In Ferde, they explain the discrepancy as a technical programming error in their customer management system. They also regard it as a follow-up error of an event that became known on August 27nd. This day Ferde became aware that 528 customers days before had been assigned the same case number in email correspondence with their customer centre. This was quickly corrected and customers received new case numbers.
The same day, without Ferde knowing about it at that time, personal data from 30 customers were mistakenly sent personal information about other subscribers as a result of this.
– We have promptly informed all affected customers about what has happened, and, among other things, asked the 30 recipients of personal information to delete those. We apologise for the mistake that we made. This is entirely our responsibility and we look very seriously at the event, says Quality Director in Ferde, Ola Johannes Jordal to Rogaland Avis.
He emphasises that there is no data from their systems that is leaked.
– This is solely information that is provided to the customer centre by e-mail or orally in those four days in August, he says.
– How did you plan to avoid similar situations from reoccurring?
-We have made a number of improvements to the system after the discrepancies were revealed. Among other things, we have placed controls in the system that allow outgoing mail to be sent to the one we have received mail from only. In addition, we are now working to implement data encryption in our customer management centre so that this does not happen again, Jordal elaborates.
Jordal states that it is not appropriate to replace the supplier at this point in time, but adds that Ferde always looks for safe and good technological solutions.
– Thus, system solutions are something we continually seek to ensure efficient and good solutions to benefit our customers.
At the Data Inspectorate, they have not yet dealt with the discrepancy report from Ferde, and Director Bjørn Erik Thon states that he will therefore not comment on the matter.
– In principle, when considering the severity of things, we will, of course, see how big the discrepancy is. It means how many customers, patients or others that are affected, Thon informs Rogalands Avis.
What kind of information gone astray is also relevant to how serious the Data Inspectorate is considering matters.
– The more sensitive the information is, the greater is the potential for being misused by others. Account numbers and debt collection notices are clearly types of information that you should be careful not to spread far and wide, without wishing to comment on the seriousness of this particular case, he says.
© Rogalands Avis / #Norway Today