The Rosseau platform fueling the populist 5-Star movement in Italy was hit with a fine by the Italian data protection authority, making it the first ever GDPR fine it issued. The privacy regulator began the probe after receiving a complaint against the platform. Before the investigation began, the platform was plagued with several cyber attacks and malfunctioning of web servers.
Overall, the fine was levied due to the lack of robust security controls and aspects like weak cryptographic controls and lack of an audit logging practice in place for database transactions.
“Rousseau is the operating system of the 5 Star Movement.
Its objectives are the management of the various elective components (Italian and European parliaments, regional and municipal councils) and the participation of members in the life of the 5-Star Movement. On Rousseau it is possible to propose a law, to vote for the choice of electoral lists or to define the political positions of the 5-Star Movement with respect to specific topics.”
Based on what the site describes itself to be, it is evident that it should have robust security measures and must be immune to cyber and malware attacks.
Here are the reasons cited for the fine. This is a condensed version taken from the description of the regulator which can be found here.
- The CMS (Content Management System) used by the platform was outdated and couldn’t receive updates any longer. The CMS used by the platform was Movable Type 4, which reached its end of life in 2013. In other terms, we could say that this site was out there on the web ready to be hacked.
- Unsalted hashtags and weak passwords are a few of the many authentication related weakness that plagued the platform. These issues had been fixed within the deadline given by the regulator.
- The platform had weaknesses in audit logging of administrative access among others. It also suffered from deficiencies in tamper protection for logs.
Apart from the above-mentioned issues, the platform had several other problems such as failure to comply with the best practices for e-voting systems.
Incidents like these demonstrate that consent management and DSAR request management alone isn’t going to be sufficient. More emphasis has to be placed on processing personal data and managing information security. The 5-star movement case stands as an example for demonstrating the flaws in information security management and how it must be approached.