Citizen data leak from the municipality system in Latvia

​In autumn of 2024 in Latvia a citizens personal data leak from the Unified municipality information system was found. In the time period from 29th of October to 2nd of November unauthorised persons had the ability to access a search index which had partly duplicated municipality data. This data included personal information about citizens and municipality employees, including their names, surnames, personal identification numbers and residential addresses, as well as, in the case of municipality employees, their job titles and email addresses. 

This municipality data is maintained and stored in its information system managed and saved by a vendor, private company providing respective services. Director of this company commented on this matter saying that the documents stored in the system were not illegally obtained, corrected or deleted. Immediately after becoming aware of the incident, measures were taken to improve security and remedy the incident, however, at the moment it is not clear for what purposes the data could be used and what damage this could cause to the data subjects. Nevertheless, one of few conclusions indicated that with such data it will be possible to more specifically launch fraud campaigns against citizens, knowing specific personal data about them.

The municipalities have reported the incident to the State Data Inspectorate, which is investigating the incident to establish the circumstances of the case and the causes of the leak. As regards the responsible parties, it should be mentioned that the system developer is only a data processor, therefore, based on the GDPR provisions, the responsibility for choosing a cooperation partner and setting standards to ensure that personal data is processed securely lies with the municipalities where the data leak occurred. Although the investigation of the situation by the State Data Inspectorate is still ongoing, it can be concluded that the personal data of people was not sufficiently protected and that a breach was committed for which liability will be incurred.

In February 2024, the Norwegian Data Protection Authority also faced a data breach by a municipality. In this case, personal data was made available to unauthorised persons in the municipality's public mail log.

On the basis of the cases reviewed and those already closed, it can be concluded that also in the case of the Latvian 2024 personal data leak, a decision is expected which will provide for an monetary penalty for the GDPR infringements committed, the penalty being of course determined taking into account the circumstances of the specific case, but at the same time, considering that this leak concerns all Latvian municipalities, except capital city Riga, then the number of affected persons could potentially exceed 1 million people. This, in turn, indicates a possible new imposition of the largest penalty in Latvian history.