Lexipedia

Entscheid

EDOEB-nodate-6005acf

Final Report on Mitto AG of 17 March 2023PDF307.53 kB17. März 2023

Deutsch6 min

Source admin.ch

Final Report on Mitto AG of 17 March 2023PDF307.53 kB17. März 2023

Erwägungen

0 Schweizerische Eidgenossenschaft Confëdëration suisse Confederazione Svtzzera Confederaziun svizra Federal Data Protection and InformationCommissioner FDPIC

The Commissioner

POST CH AG CH-3003 Bern EDÖB-A-IE8D3401/3

MLL Meyerlustenberger Lachenal Froriep AG Schiffbaustrasse 2 Postfach 8031 Zürich

Your reference Our reference Case officer: Katja Gysin Bern, 17 March 2023

MittoAG, possible misuse of access to the mobile network, conclusion of preliminary investigation

Dear Sir or Madam

In December 2021, the Federal Data Protection and Information Commissioner (FDPIC) became aware through reports in the media of possible unlawful data processing by an employee of Mitto AG. Allegationswere made that an employee of MittoAG had facilitatedthe unauthorised surveillance of individuals, possibly by third-party companies, via the company network

As part of a preliminary investigation, the FDPIC carried out the following investigative procedures:

Enquiries

1.

MittoAG was first requested on 8 December 2021 to comment generally on the matters in question. The response was sent by MittoAG's legal representative on 7 January 2022 before the extended deadline, stating that MittoAG had no knowledge of any such irregularityand that MittoAG had taken organisational and technical data protection measures to prevent unauthorised processing. This state- ment was accompanied by extensive documentation on the applicable processes and guidelines

In parallel to requesting Mitto AG's statement, the FDPIC had asked the three Swiss mobile phone op- erators to answer a list of questions. The focus was on a possible business connection with MittoAG and the technical assessment of the vulnerability that MittoAG had allegedly exploited. The mobile phone providers confirmed contractual links with Mitto AG, but referred to technical and organisational measures to ensure data security to rule out any effective irregularities using their respective mobile networks,

Feldeggweg 1 3003 Bern Tel. +41 58 463 74 84, Fax +41 58 465 99 96 www.edoeb.admin.ch

EDÖB-A-IE8D3401/3

2.

In a second exchange of correspondence, the FDPIC requested MittoAG on 4 April 2022 to provide it withdocuments showingwhich specific audits had been carried out by MittoAG or its agents in order to establish, as it had claimed, that there had been no irregularities.

MittoAG responded to this request of 1 June 2022 before the extended deadline. Its response referred to MittoAG's ISO certifications and further claimed that an internal audit of the service platform had not shown that the system was compromised in any way. It maintained that no evidence of irregularities had been found and that the people mentioned in the media reports did not have access to code re- positories, and therefore could not have made any unlawful modifications. No modifications or undesir- able activities had been detected in the software either. It stated that an external examination in the course of a security audit of MittoAG's service delivery platform and telecommunicationsystems had also failed to reveal any anomalies

In a letter dated 19 August 2022, the FDPIC requested Mitto AG to provide additional information re- garding possible unauthorised access to the systems. It raised the question of whether one or more persons had used their right of access to Mitto AG's systems to enable unauthorised third parties to access information or gain direct access to the system itself. The FDPIC expected an evaluation of log- ging data to prove that all system accesses were justified

MittoAG commented in detail on this issue in a letter dated 28 October 2022 and provided an investi- gation report on the test steps carried out. The report analysed active directory logs, remote access VPN logs, multifactorauthenticationlogs, application logs and all server logs (includingserver and ser- vice logs connected to mobileoperator and carrier networks) for various time periods,

In addition, all identity access control systems were audited to ensure that access was granted in ac- cordance withthe roles and permissËons.Furthermore, the report provided informationon the software developmentlifecycle,which had been standard since 2015 and, according to MittoAG's assessment, would have prevented or revealed any unauthorised installation of software for the localisation of mo- bile subscribers. The report also contained explanations relating to identity and access management for internal and external users at Mitto AG. Here, too, no abnormalities were found.

4.

In a virtual meeting on 13 December 2022 between representatives of the FDPIC, MittoAG and its le- gal representatives, certain additionalexplanations were provided on the report.

Assessment

Under the Federal Act on Data Protection (FADP, SR 235.1), data processors may only process per- sonal data lawfullyand in compliance with the general principles on processing (Art. 4 FADP). They are required to protect the data against unauthorised processing, for example unauthorised access, by tak- ing appropriate technical and organisational measures. In view of the incidents described, the FDPIC carried out a preliminaryinvestigationto determine whether there had been any failures in this regard. MittoAG compIËedwith the FDPIC's requests in all respects

In the course of its correspondence with the FDPIC, MittoAG provided evidence on how the operation of the system is organised. It also explained which measures it can take to prevent or detect undesired or unauthorised modifications to the software of its systems. The evaluation of the existing logging data allowed conclusions to be drawn about access to the systems

According to MittoAG, neither the examination of the rules for software modifications nor the evalua- tion of the instances of access to the systems revealed any indications that would suggest any irregular use of the systems in the manner alleged

MittoAG has also stated several times that it is not possible for employees to gain access to the locali- sation data of SMS recipientswithout modifyingthe systems or the software. This statement is sub- stantiated by the information given by the mobile phone providers consulted. Mitto AG ruled out any undetected or unauthorised modificationof the software based on the software development cycle in- troduced in 2015.

The FDPIC arranged for the audits that were required and possible using the resources at its disposal. Based on the informationavailable to the FDPIC, there is no evidence that confirms the suspicion that a violation of data protection provisions occurred. Since the allegations of misconduct by Mitto AG are technicallyunspecific allegationsthe FDPIC has exhausted its resources for the time being without substantiating the suspicion of a violation of data protection provisions.

Inview of the foregoing, the FDPIC has decided to conclude the preliminaryinvestigation into MittoAG without making any recommendations.

@3 Yours sincerely l+ 3

Adrian Lobsiger The Commissioner

;%*g