The Norwegian Data Protection Authority has decided to issue Trumf with a fine in the amount of NOK 5 million (EUR 500,000). The basis for this fine is that Trumf members were able to register someone else’s account number on their member profile, thereby accessing the purchasing history of a third party.
By registering an account number with Trumf, users gain access to details of what they have purchased, as well as when and where they made the purchase.
“Trumf had failed to ensure satisfactory security for the processing of members' purchasing histories, and had to remedy this security failing,” says then acting Director Janne Stang Dahl.
“The Data Protection Authority therefore stands by its previous notice of a NOK 5 million fine against Trumf (norwegian), which was issued in December 2021, and we have maintained our previous assessment in this decision.”
Trumf members were able to access other people's purchasing histories because Trumf had not implemented a solution to verify that the Trumf member registering the bank account was the account's actual owner.
In its decision, the Data Protection Authority gives examples where various individuals, intentionally or unintentionally, have registered bank accounts owned by other people on their membership profiles, which is a personal data breach. Trumf has an obligation to report all such incidents to the Data Protection Authority, and all such incidents must also be documented internally.
In its decision, the Data Protection Authority outlines why we believe Trumf has failed to meet these obligations.
Trumf has not ensured that account numbers are verified before access to purchasing histories is obtained or when new account numbers are registered.