Very interesting case involving sensitive personal data that
- was shared via unencrypted email (which was pointed out to the university, but was not reported as an incident)
- stored on box.com, protected only by username/password, despite the fact that the University’s risk assessment didn’t support this – and in violation to internal published policies
(I hope I read the documents correctly..)
Press release:
https://www.datainspektionen.se/nyheter/universitet-brast-i-skyddet-av-kansliga-personuppgifter/