- Incident Number: i20140625.1
- Status: execution
Incident Manager: BenediktHeintel
- Date of incident opened: 2014-06-27
- Date of incident closed: 201Y-MM-DD
Incident title: Data Privacy breach & potential abuse of power
- 2014-06-27: Incident i20140625 added, documentation to be done
2014-07-05: Incident documentation private part
- 2014-07-10: Updated incident documentation
- 2014-07-12: Added Corrective and Preventive Actions
- 2014-07-12: Board informed about incident and asked for approval (until 2014-07-20) and execution (until 2014-08-09)
2014-07-13: Arbitration opened the case a20140712.1
- 2014-07-13: Board approved the Incident and the proposed preventive actions
- 2014-07-15: Corrected the Incident Description and updated the Root Cause
2014-11-30: Finding #4 was validated by Arbitration in a20140624.1
1. Incident Response Team
- Internal Auditor
iCM of arbitration case a20140624.1
2. Incident Description
The initial Case Manager of arbitration case a20140624.1 consulted the internal auditor based on that case by e-mail. Since the e-mail compromises several sites of e-mail conversation between a community member and a support person, only the summary is cited here; the full anonymised text provided to Audit is documented in Arbitration Case (access for Arbitration and Audit only). The affected person are unknown to the internal Auditor.
- some action of the Support member to get the member to reveal more details about his person, including the demand to hand him over what is written in his official documents - without any authority given by arbitration - the support member giving warnings to members - without any authority given by an arbitration case - the support member requiring from the member to not use his account, until further notice and especially not getting assurances or issuing certificates - the support member refusing to delete the account of a member as requested because he favours another solution - a privacy breach when forwarding all name details of a member and all assurance details of multiple assurances to an arbitrator who did not have an arbitration case in this direction running
The summary (proven by the e-mail itself) contains a data privacy breach and potentially abuse of power.
3. Containment Actions
No action was done to contain the incident, there is no current danger of expansion in this case.
4. Root Causes
- The community member requests to delete one of his CAcert accounts.
- The supporter asks for the e-mail addresses of the other accounts.
Finding 1: To execute the delete this information is not required and should not be requested ("need to know").
- The member provides the second e-mail address and requests to delete the first account.
- The supporter looks up the second account and proposes to delete this.
- The member again asks to delete the first account.
- The supporter contacts and blames two assurers for unlawful behaviour, who assured the member twice on each account.
Finding 4: There is no rule in CAcert, that one assurer cannot assure an assuree several times. Since the supporter does not give any information on what basis he judges, an abuse of power is presumed.
- The supporter forwards two e-mail of the member and one email written by himself from former conversation with the member without anonymisation to an arbitrator. The emails contained names, e-mail addresses, dates and locations of several assurances.
- A second supporter filed a dispute.
To sum it up, the supporter
abused his power as supporter to request additional information and provide false information (to be verified by arbitration case a20140624.1).
5. Permanent Corrective Actions
Dispute a20140712.1 was requested:
6. Verify Corrective Actions
7. Preventive Actions
The internal Auditor recommends the following preventive actions:
- Train the Support team in data protection
- Oblige core team members (auditable) on data privacy
- Add a data privacy test to CATS with privacy related questions and make the repetition of the test mandatory after two years for all core team members
Board decided to install following preventive actions:
8. Approval & Closure
2014-07-13 in m20140713.1