Authorities to probe a possible data breach

12.12.2012, 12:36

Estonian Data Protection Inspectorate has launched an enquiry into whether privately owned electricity trader 220 Energia OÜ may have breached data protection requirements since its system gave access to the customer database of Elering in a way that enabled to browse personal data of other consumers.

The Elering database at andmeladu.elering.ee has data on all electricity sale and transmission contracts signed in Estonia

Riho Lodi, IT head of Elering, said that the authentication system used by 220 Energia had only one identifier, the personal ID code. Users were able to fill in all other data fields with random keystrokes. By entering an ID code, users got access to this person’s power consumption and measurement data. Since personal ID codes are not sensitive data, they are available in the public databases.

“As soon as we had received information, we closed data exchange with 220 Energia and opened it only when the loophole was closed,” said Lodi.

Marko Allikson, board member of 220 Energia, said that the company used only one identifier deliberately.

“This enabled persons to sign an electricity purchase contract on behalf of their grandparents, for instance,” said Allikson, but admitted that the system was abused by some users.