Norwegian School App exposed 63,000 school children’s data – fines of €200,000 expected

Norwegian School App exposed 63,000 school children’s data – fines of €200,000 expected

Is your mobile app secure?

Let's perform an app audit! Our scanner can monitor your compnay's mobile apps to see if they comply with ePrivacy and GDPR.
Book a meeting with our compliance experts and let's have a brief chat about how to make your app GDPR compliant.


Norwegian newspaper Aftenposten has revealed a huge security breach in a new app for Norwegian school children. The app "Skolemelding" was not properly tested before launched thereby exposing the data of 63,000 children, says Norwegian Data Protection Authority (DPA)

The Norwegian Data Protection Authority strongly criticizes Oslo’s Education Office (UDE) and their new app “Skolemelding” (i.e. School message). The app is believed to violate the rules of personal information security and the DPA now warns of fines up to 2 million Norwegian kroner (€200,000).

Exposing 63,000 children’s data

"Skolemelding" is an app that was used by the schools in Oslo last year. The purpose of the app was to make it easier for parents and teachers to communicate about the children’s daily life in school.

But Aftenposten found major security flaws in the new app. Everyone who logged in, and others with knowledge of the flaws, could theoretically gain access to the information and communication of the more than 63,000 students in the Norwegian capital.

- The Oslo municipality launched an app named "Skolemelding" which had a security hole. This could potentially lead to information about as many as 63,000 students. Others with knowledge of the breach could also gain access to the information”, says Bjørn Erik Thon, Director of Datatilsynet (the Norwegian Data Protection Authority), to the NRK.

Case summarized

In 2018 the Norwegian app Skolemelding (i.e. School message) was launched giving parents of more than 63,000 children in the Norwegian capital Oslo new ways of communicating.
Aftenposten later revealed the app to have major security flaws which exposed the children’s data.

The App did not undergo proper testing

The reason why the Norwegian DPA entered the case with such force is, that a great number of school children’s data had been exposed. The DPA further emphasizes, that the responsible part (Municipality of Oslo) did not carry out a good enough testing before the app was launched. 

Therefore, the security breaches were not evident for the UDE. However, it was later made clear, that the breaches were very well-known breaches, says Bjørn Erik Thon.

Although the bugs were fixed the same day the UDE was notified, the actions taken were not acceptable for the DPA. The UDE is therefore warned of a fine up to €200,000.

The Education Office now has to decide whether they will accept the fines or not.

We can test if your mobile app is GDPR compliant

Testing your mobile app for security breaches and GDPR readiness is absolutely vital for your brand image and relation to your customers.

Here we present a guide to how you can make your company app GDPR and ePrivacy compliant.

Link: How to get mobile app GDPR compliant in 6 easy steps (en)

Link: 6 skritt som gjør at din app tilfredsstiller GDPR (no)

Link: 6 trin til at blive GDPR compliant på din mobil app (da)

Become GDPR cookie compliant

Become GDPR cookie compliant today. Book a meeting with our compliance experts.