“I view the advance notice that we’ve received from the Data Protection Authority very seriously. Our information security at the time of the cyberattack in 2020 wasn’t good enough. Unfortunately, this meant that we weren’t able to prevent personal data from 13 email accounts from going astray. It’s therefore natural for us to expect a reaction from the Data Protection Authority,” said Marianne Andreassen.

“At the same time, it’s important that the Storting’s administration exercises its right to provide the Data Protection Authority with additional information so that it has the best possible basis for making a decision,” she continued.

Notified the Data Protection Authority

The Storting was the target of a concerted cyberattack in late August 2020, during which threat actors succeeded in retrieving data from a limited number of email accounts.

At this time, the Storting’s administration notified the Data Protection Authority that certain personal data had gone astray.

The Storting’s administration has now received a letter giving notice that the Data Protection Authority is considering the imposition of a two million kroner fine. The primary reason given is that the Storting had not implemented two-factor email authentication at the time of the attack in 2020.

The Storting’s administration has been given a deadline of 14th February 2022 to respond to the warning.

Lessons learned

In a comment, Ms Andreassen said that the cyberattack has taught the Storting’s administration several important lessons.

“At the time of the cyberattack, we were in the process of following up a comprehensive IT risk and vulnerability assessment carried out between the autumn of 2019 and April 2020. But at that time our password requirements were not rigorous enough, and some of our email solutions were still not protected by two-factor authentication,” said Ms Andreassen.

“We have worked systematically to follow up the recommendations and lessons learned after the cyberattacks. We have implemented major improvements in our IT security. These include technical and organizational procedures as well as measures directed at individual users,” she continued.

“In a changing and increasingly demanding threat picture, we must work continuously on measures to counter new threats,” she added.

“The Data Protection Authority plays a vital role in our society, so it’s positive that they are following up the Storting’s administration in this field,” the Secretary General concluded.