When the Eindhoven municipality introduced a new sports pass for its citizens, it made mistakes. Privacy checks were skipped and warnings ignored. This came to light after an investigation commissioned by said municipality.
The new sports pass was introduced for regular visitors of the municipal swimming pools before a privacy test had been carried out. The sports pass was intended to replace the city pass, which had been discontinued precisely because the privacy of Eindhoven citizens could not be guaranteed.
Risks
The municipality failed to ask the advice of the internal commissioner for data protection when it introduced the pass. Without the commissioner’s assessment the danger exists that critical privacy issues remain under the radar instead of being addressed. According to the external investigators, “the oversight may lead to violation of privacy regulations, data leaks and reputation damage”. The risks were not assessed properly and the commissioner’s warnings were ignored, is the verdict.
Hack
The municipality commissioned the investigation when an ethical hacker pointed out the problems last year, for instance concerning the QR-code. When the hacker contacted the municipality, the digital ticket barriers of the Ottenbad and Tongelreep pools were closed immediately. The hack and the data leak were reported to the privacy watchdog authority.
Source: Studio040
Translated by Greta