Norwegian School App exposes 63,000 school children’s data – fines of €200,000 expected

Blog
The Norwegian newspaper Aftenposten has revealed a huge security breach in a new app for Norwegian school children. But Aftenposten found major security flaws in the new app.
Table of Contents

Is your mobile app secure?

Norwegian newspaper Aftenposten has revealed a huge security breach in a new app for Norwegian school children. The app “Skolemelding” was not properly tested before being launched thereby exposing the data of 63,000 children says Norwegian Data Protection Authority (DPA).
The Norwegian Data Protection Authority strongly criticizes Oslo’s Education Office (UDE) and their new app “Skolemelding” (i.e., School message). The app is believed to violate the rules of personal information security, and the DPA now warns of fines of up to 2 million Norwegian kroner (€200,000).

Exposing 63,000 children's data

“Skolemelding” is an app that was used by the schools in Oslo last year. The purpose of the app was to make it easier for parents and teachers to communicate about the children’s daily life in school.
But Aftenposten found major security flaws in the new app. Everyone who logged in, and others with knowledge of the flaws, could theoretically gain access to the information and communication of the more than 63,000 students in the Norwegian capital.

Case summarized

In 2018 the Norwegian app Skolemelding (i.e., School message) was launched, giving parents of more than 63,000 children in the Norwegian capital Oslo new ways of communicating.
Aftenposten later revealed the app’s major security flaws that exposed the children’s data.

The app did not undergo proper testing

The Norwegian DPA entered the case with such force because a great number of school children’s data had been exposed. The DPA further emphasizes that the responsible party (Municipality of Oslo) did not carry out a good enough testing before the app was launched.
Therefore, the security breaches were not evident to the UDE. However, it was later made clear that the breaches were very well-known breaches, says Bjørn Erik Thon.
Although the bugs were fixed the same day the UDE was notified, the actions taken were not acceptable to the DPA. The UDE is, therefore, warned of a fine of up to €200,000.
The Education Office now has to decide whether they will accept the fines or not.

We can test if your mobile app is GDPR compliant

Testing your mobile app for security breaches and GDPR readiness is absolutely vital for your brand image and relation to your customers.
Here we present a guide to how you can make your company app GDPR and ePrivacy compliant.