220 Energia O Data Breach (2012)

Estonian Data Protection Inspectorate has launched an enquiry into whether privately owned electricity trader 220 Energia OÜ may have breached data protection requirements since its system gave access to the customer database of Elering in a way that enabled to browse personal data of other consumers. The Elering database at andmeladu.elering.ee has data on all electricity sale and transmission contracts signed in Estonia Riho Lodi, IT head of Elering, said that the authentication system used by 220 Energia had only one identifier, the personal ID code. Users were able to fill in all other data fields with random keystrokes. By entering an ID code, users got access to this person’s power consumption and measurement data. Since personal ID codes are not sensitive data, they are available in the public databases.