Germany
Hamburger Verkehrsverbund GmbH (HVV GmbH)
20,000 €
GDPR enforcement action by Data Protection Authority of Hamburg on 2019.
Rank · Sector
#98
of 165 in Transportation and Energy
Rank · Germany
#53
of 116
Rank · All fines
#1,025
of 3,042
Case details
- Authority
- Data Protection Authority of Hamburg
- Date
- 2019
- Controller / Processor
- Hamburger Verkehrsverbund GmbH (HVV GmbH)
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 33 GDPR, Art. 34 GDPR
- Type of violation
- Insufficient fulfilment of data breach notification obligations
Summary
On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner.
Open original source
Links to the regulator's original publication or another source.
Related fines
Germany
2024
45,000,000 €
ETid-2646
Vodafone GmbH
Media, Telecoms and Broadcasting
Germany
2020-10-01
35,258,708 €
ETid-405
H&M Hennes & Mauritz Online Shop A.B. & Co. KG
Employment
Germany
2024
4,113,486 €
ETid-2638
Unknown
Not assigned
Germany
2019
3,501,000 €
ETid-943
Unknown
Individuals and Private Associations
Germany
2022
2,001,000 €
ETid-1870
Unknown
Individuals and Private Associations
Germany
2022-03-03
1,900,000 €
ETid-1103
BREBAU GmbH
Real Estate