Faroese data protection authority issues severe warning over cybersecurity failures

The Faroese Data Protection Agency has issued a formal warning to Klaksvík Municipality for serious security negligence after hackers accessed the municipality’s IT systems in 2024, Kringvarp Føroya reports.

The agency confirmed that no risk assessment had been conducted prior to the breach, a violation it deemed severe enough to conclude that the municipality’s data security was inadequate. Authorities stated that had Klaksvík performed a proper risk assessment and implemented a robust IT security policy, it could have identified and addressed vulnerabilities that allowed the hackers to infiltrate its systems.

The breach occurred between 8 and 28 September 2024, when unauthorised parties gained access to the municipality’s systems. Klaksvík reported the incident to the Data Protection Agency in November 2024, acknowledging that hackers had compromised its IT infrastructure.

The agency has now ordered the municipality to conduct a full risk assessment and determine whether its current IT security measures are sufficient or if further improvements are required.