Threat Actor: Czech Republic’s Office for Personal Data Protection (ÚOOÚ) | ÚOOÚ
Victim: Avast | Avast
Price: $14.8 million
Exfiltrated Data Type: Sensitive personal data, including browsing habits, interests, location, and financial status
Additional Information:
- The fine was imposed by the Czech Republic’s Office for Personal Data Protection (ÚOOÚ) on Avast for alleged violations of the European Union’s General Data Protection Regulation (GDPR).
- An investigation revealed that Avast processed sensitive personal data without user consent and sold it to third parties for analytics purposes through its subsidiary, Jumpshot.
- The extensive data set affected over 100 million users and could potentially reveal private details of individuals.
- The ÚOOÚ concluded that Avast’s anonymization techniques failed to guarantee full user privacy, contradicting the core principles of GDPR.
- The fine serves as a reminder that even industry leaders like Avast will face consequences for failing to prioritize user privacy.
- Avast settled similar allegations with the U.S. Federal Trade Commission in February 2024, agreeing to pay $16.5 million.
- Avast expressed disagreement with the conclusions drawn by the ÚOOÚ and is considering further legal action while pledging to improve its privacy practices.
- This case highlights the importance of companies prioritizing user consent and data protection to avoid significant financial and reputational risks.
Czech cybersecurity software leader Avast has been hit with a hefty $14.8 million fine by the Czech Republic’s Office for Personal Data Protection (ÚOOÚ) for alleged violations of the European Union’s General Data Protection Regulation (GDPR).
The decision stems from an investigation into how Avast and its subsidiary, Jumpshot, handled data collected from Avast’s antivirus software and browser extensions. The ÚOOÚ determined that in 2019, Avast processed sensitive personal data without user consent and funneled it to Jumpshot, where it was sold to third parties for analytics purposes. This extensive data set, affecting over 100 million users, could potentially reveal private details such as browsing habits, interests, location, and financial status.
At the core of the issue is Avast’s claim that it employed reliable anonymization techniques. The ÚOOÚ concluded that, in practice, this approach failed to guarantee full user privacy, as some data could still link back to individuals. This contradicts the core principles of the GDPR, which requires clear user consent and robust data protection measures.
The ÚOOÚ emphasized that as a cybersecurity company promoting data protection tools, Avast should uphold the highest privacy standards. This fine sends a strong message that even industry leaders will face consequences for failing to rigorously prioritize user privacy.
This isn’t the first time Avast’s data collection practices have drawn fire. In February 2024, the company settled similar allegations with the U.S. Federal Trade Commission, agreeing to pay $16.5 million. These back-to-back incidents underscore the growing global focus on corporate data ethics.
In a statement, Avast expressed disagreement with the conclusions drawn by the ÚOOÚ, indicating that it’s considering further legal action. The company also underscored its commitment to data protection and pledged to improve its privacy practices.
The Avast case highlights the increasingly stringent enforcement of data privacy regulations. Companies, particularly those with a large digital footprint, must make user consent and data protection central to their operations. Failure to do so carries significant financial and reputational risks.
Original Source: https://securityonline.info/avast-faces-14-8-million-penalty-for-data-protection-violations/