Leak of personal data from ZUS. Now fend for yourself (update)
The Polish administration has a serious problem with the protection of personal data. We know this “thanks” to an incident in a private company.
It is a popular practice in companies to provide a group of employees with access to the ZUS PUE portal. This makes it a lot easier to manage your billing, and there’s usually nothing wrong with that. It is worse if the rights are still active after the end of the contract. Then a situation arises in which an outside person has access to the personal data of employees and often also their families.
Even if such an oversight occurred, the consequences can be minimized. Companies have appropriate tools for this, such as data access logs (who logged in when and what data they viewed). This type of information allows you to determine whether a data leak has occurred and what procedures should be run next.
Only ZUS is not a company.
ZUS PUE. Months of waiting for no information
We know this thanks to the story described in Niebezpiecznik. The company detected an employee data protection incident. A person who no longer worked there had access to ZUS PUE, and therefore to the data of other employees, for over half a year. The incident was detected on August 25, 2023, and on September 15, the company notified the Personal Data Protection Office.
At the same time, it asked ZUS to determine whether access to PUE enabled viewing or downloading personal data of other employees and whether this occurred.
The response from ZUS was surprising. Firstly, the company waited for it until December 2023. Secondly, there is no way to answer the questions asked. Information about what data is displayed by a person logged in to ZUS PUE is simply not saved.
The company received a list of employee logins during the period when it was afraid of employee data leakage. Is logging in evidence of data leakage? Not at all. ZUS PUE does not distinguish logging in in a private matter from performing activities pursuant to authorization. There is no such thing as an “employee account”.
At this point, it does not matter that the incident occurred at BNP Paribas GSC SA, which belongs to the same group as the well-known bank. It could have been any other company that made a similar oversight. There are probably many companies in Poland that “forgot” to allow the employee to log in to ZUS PUE after the termination of the contract.
The most important thing is that we already know how poorly ZUS is at protecting our personal data. You should also be aware that this platform contains data of millions of insured persons and their families, entered by employers. There you can find, among other things, addresses and sick leave history. There is no detailed event log, which should definitely be there.
Finally, it is worth adding that the company investigated the incident, assessed the risk, introduced appropriate future security procedures and notified employees about the risk. Fortunately, no further incidents were detected that could suggest a data leak.
Update:
The Social Insurance Institution sent the following comment to the TELEPOLIS.PL editorial office:
In accordance with applicable regulations, the right to log in to PUE-ZUS for an employee is granted by the employer. The employer may also withdraw the power of attorney from a former employee by completing a special form. ZUS does not verify the employee’s dismissal data. It is worth emphasizing that ZUS is able to determine whether a person logs in to the insured person’s account (which may be treated as access for private purposes) and when logging in takes place on the profile of the employer for which he/she has a power of attorney (access for business purposes). However, the burden is on the employer to revoke the power of attorney and inform ZUS about it. If the employer fails to fulfill this obligation, there cannot be a leak of data from ZUS. In such a case, the possibility of unauthorized access to data is the sole result of the employer’s conduct. The Social Insurance Institution will work with entrepreneurs to improve the PUE-ZUS administration process.