Datatilsynet, Norway’s data protection authority, has ordered the Norwegian Sports Confederation to pay NOK1.25m ($151,000, €124,000) after personal information about 3.2m Norwegians were available online for 87 days.

The data exposure arose from an error when the organisation carried out tests to transfer its database from a physical server into the cloud system.

The country’s National Cyber Security Centre subsequently notified the confederation that personal information was available at a public IP address. The organisation filed a non-conformance report to the DPA in December 2019.

The data exposed was name, gender, date of birth, address, telephone number, e-mail address and club affiliation. Of the 3.2m people affected, 486,447 were children aged between three and 17. The authority said it has no information that unauthorised people exploited the error.

After investigating, Datatilsynet took the view testing with personal data started without sufficient risk assessments or processes to secure the information.

The authority also considers it was unnecessary to test with a high volume of such data and the system’s trials could have been conducted in less invasive ways.

It concluded the principles of legality, data minimisation and confidentiality were breached.

“It is very important to test thoroughly before a new solution is put into production,” said DPA director Bjorn Erik Thon. “Testing can, for example, reveal errors or security holes in the solution.

“Therefore, there is a great risk associated with testing, especially if you use people’s personal information in the test. Our clear recommendation is to use fictitious data, so-called Donald Duck data, as this significantly reduces the risk.”

Datatilsynet originally proposed an infringement fee of NOK2.5m, but based on information received about the nature of the confederation’s organisation and finances decided to half it to NOK1.25m.