Norwegian newspaper Aftenposten has revealed a huge security breach in a new app for Norwegian school children. The app "Skolemelding" was not properly tested before launched thereby exposing the data of 63,000 children, says Norwegian Data Protection Authority (DPA)
The Norwegian Data Protection Authority strongly criticizes Oslo’s Education Office (UDE) and their new app “Skolemelding” (i.e. School message). The app is believed to violate the rules of personal information security and the DPA now warns of fines up to 2 million Norwegian kroner (€200,000).
Exposing 63,000 children’s data
"Skolemelding" is an app that was used by the schools in Oslo last year. The purpose of the app was to make it easier for parents and teachers to communicate about the children’s daily life in school.
But Aftenposten found major security flaws in the new app. Everyone who logged in, and others with knowledge of the flaws, could theoretically gain access to the information and communication of the more than 63,000 students in the Norwegian capital.
- The Oslo municipality launched an app named "Skolemelding" which had a security hole. This could potentially lead to information about as many as 63,000 students. Others with knowledge of the breach could also gain access to the information”, says Bjørn Erik Thon, Director of Datatilsynet (the Norwegian Data Protection Authority), to the NRK.
The App did not undergo proper testing
The reason why the Norwegian DPA entered the case with such force is, that a great number of school children’s data had been exposed. The DPA further emphasizes, that the responsible part (Municipality of Oslo) did not carry out a good enough testing before the app was launched.
Therefore, the security breaches were not evident for the UDE. However, it was later made clear, that the breaches were very well-known breaches, says Bjørn Erik Thon.
Although the bugs were fixed the same day the UDE was notified, the actions taken were not acceptable for the DPA. The UDE is therefore warned of a fine up to €200,000.
The Education Office now has to decide whether they will accept the fines or not.
We can test if your mobile app is GDPR compliant
Testing your mobile app for security breaches and GDPR readiness is absolutely vital for your brand image and relation to your customers.
Here we present a guide to how you can make your company app GDPR and ePrivacy compliant.