final-report-on-mitto-ag-of-17-march-2023pdf307-53-kb17-marz-2023-6005ac
Final Report on Mitto AG of 17 March 2023PDF307.53 kB17. März 2023
Deutsch6 min
Schweizerische Eidgenossenschaft Confëdëration suisse Confederazione Svtzzera Confederaziun svizra ## Erwägungen ### 0. Federal Data Protection and InformationCommissioner FDPIC The Commissioner CH-3003 Bern POST CH AG EDÖB-A-IE8D3401/3 MLL Meyerlustenberger Lachenal Froriep A...
Source admin.ch
Schweizerische Eidgenossenschaft Confëdëration suisse Confederazione Svtzzera Confederaziun svizra
Erwägungen
0.
Federal Data Protection and InformationCommissioner FDPIC The Commissioner CH-3003 Bern POST CH AG EDÖB-A-IE8D3401/3 MLL Meyerlustenberger Lachenal Froriep AG Schiffbaustrasse 2 Postfach 8031 Zürich Your reference Our reference Case officer: Katja Gysin Bern, 17 March 2023 MittoAG, possible misuse of access to the mobile network, conclusion of preliminary investigation Dear Sir or Madam In December 2021, the Federal Data Protection and Information Commissioner (FDPIC) became aware through reports in the media of possible unlawful data processing by an employee of Mitto AG. Allegationswere made that an employee of MittoAG had facilitatedthe unauthorised surveillance of individuals, possibly by third-party companies, via the company network As part of a preliminary investigation, the FDPIC carried out the following investigative procedures: 3d1 Enquiries 1.
MittoAG was first requested on 8 December 2021 to comment generally on the matters in question. The response was sent by MittoAG's legal representative on 7 January 2022 before the extended deadline, stating that MittoAG had no knowledge of any such irregularityand that MittoAG had taken organisational and technical data protection measures to prevent unauthorised processing. This statement was accompanied by extensive documentation on the applicable processes and guidelines In parallel to requesting Mitto AG's statement, the FDPIC had asked the three Swiss mobile phone operators to answer a list of questions. The focus was on a possible business connection with MittoAG and the technical assessment of the vulnerability that MittoAG had allegedly exploited. The mobile phone providers confirmed contractual links with Mitto AG, but referred to technical and organisational measures to ensure data security to rule out any effective irregularities using their respective mobile networks, Feldeggweg 1 3003 Bern Tel. +41 58 463 74 84, Fax +41 58 465 99 96 www.edoeb.admin.ch EDÖB-A-IE8D3401/3 -- 1 of 3 -2.
In a second exchange of correspondence, the FDPIC requested MittoAG on 4 April 2022 to provide it withdocuments showingwhich specific audits had been carried out by MittoAG or its agents in order to establish, as it had claimed, that there had been no irregularities. MittoAG responded to this request of 1 June 2022 before the extended deadline. Its response referred to MittoAG's ISO certifications and further claimed that an internal audit of the service platform had not shown that the system was compromised in any way. It maintained that no evidence of irregularities had been found and that the people mentioned in the media reports did not have access to code repositories, and therefore could not have made any unlawful modifications. No modifications or undesirable activities had been detected in the software either. It stated that an external examination in the course of a security audit of MittoAG's service delivery platform and telecommunicationsystems had also failed to reveal any anomalies >8$ In a letter dated 19 August 2022, the FDPIC requested Mitto AG to provide additional information regarding possible unauthorised access to the systems. It raised the question of whether one or more persons had used their right of access to Mitto AG's systems to enable unauthorised third parties to access information or gain direct access to the system itself. The FDPIC expected an evaluation of logging data to prove that all system accesses were justified MittoAG commented in detail on this issue in a letter dated 28 October 2022 and provided an investigation report on the test steps carried out. The report analysed active directory logs, remote access VPN logs, multifactorauthenticationlogs, application logs and all server logs (includingserver and service logs connected to mobileoperator and carrier networks) for various time periods, In addition, all identity access control systems were audited to ensure that access was granted in accordance withthe roles and permissËons.Furthermore, the report provided informationon the software developmentlifecycle,which had been standard since 2015 and, according to MittoAG's assessment, would have prevented or revealed any unauthorised installation of software for the localisation of mobile subscribers. The report also contained explanations relating to identity and access management for internal and external users at Mitto AG. Here, too, no abnormalities were found.
4.
In a virtual meeting on 13 December 2022 between representatives of the FDPIC, MittoAG and its legal representatives, certain additionalexplanations were provided on the report.
-- 2 of 3 --
Assessment Under the Federal Act on Data Protection (FADP, SR 235.1), data processors may only process personal data lawfullyand in compliance with the general principles on processing (Art. 4 FADP). They are required to protect the data against unauthorised processing, for example unauthorised access, by taking appropriate technical and organisational measures. In view of the incidents described, the FDPIC carried out a preliminaryinvestigationto determine whether there had been any failures in this regard. MittoAG compIËedwith the FDPIC's requests in all respects In the course of its correspondence with the FDPIC, MittoAG provided evidence on how the operation of the system is organised. It also explained which measures it can take to prevent or detect undesired or unauthorised modifications to the software of its systems. The evaluation of the existing logging data allowed conclusions to be drawn about access to the systems According to MittoAG, neither the examination of the rules for software modifications nor the evaluation of the instances of access to the systems revealed any indications that would suggest any irregular use of the systems in the manner alleged MittoAG has also stated several times that it is not possible for employees to gain access to the localisation data of SMS recipientswithout modifyingthe systems or the software. This statement is substantiated by the information given by the mobile phone providers consulted. Mitto AG ruled out any undetected or unauthorised modificationof the software based on the software development cycle introduced in 2015. The FDPIC arranged for the audits that were required and possible using the resources at its disposal. Based on the informationavailable to the FDPIC, there is no evidence that confirms the suspicion that a violation of data protection provisions occurred. Since the allegations of misconduct by Mitto AG are technicallyunspecific allegationsthe FDPIC has exhausted its resources for the time being without substantiating the suspicion of a violation of data protection provisions. Inview of the foregoing, the FDPIC has decided to conclude the preliminaryinvestigation into MittoAG without making any recommendations. l+ 3 $g @3 Yours sincerely Adrian Lobsiger The Commissioner,g*%'\%7r58;%*g -- 3 of 3 --