FDPIC concludes preliminary investigation into Mitto AG
Bern, 20.03.2023 - In December 2021, international media coverage drew the FDPIC’s attention to allegations of unlawful data processing by an employee of the Zug-based company Mitto AG. A preliminary investigation found no evidence of a breach of data protection regulations. The FDPIC has concluded his preliminary investigation with a final report, without issuing any recommendations.
In December 2021, following media coverage, the Federal Data Protection and Information Commissioner was alerted by an article published by the Bureau of Investigative Journalism and Bloomberg News to allegations of unlawful data processing by an employee of the Zug-based company Mitto AG. The article alleged that the employee in question had abused the access granted by mobile phone operators to their networks for the purpose of sending text messages to obtain information for other purposes. In particular, the employee allegedly used access to the signalling system (SS7) to enable the unauthorised surveillance of individuals in return for payment.
The FDPIC demanded detailed information from Mitto AG in several stages on the technical and organisational safeguards in place at the company. Mitto AG complied with all of the FDPIC’s requests and conducted its own external investigations, the results of which were shared with the FDPIC.
Mitto AG produced documentation on the organisational framework of its operations and described the measures in place to prevent and detect unauthorised changes to the software. According to Mitto AG, the logging data showed no evidence to suggest that the systems had been abused in the manner alleged.
According to Mitto AG, and confirmed by mobile operators in Switzerland, who were also invited to comment, it is impossible for Mitto AG employees to access the location data of SMS recipients without modifying the systems or software.
The FDPIC has carried out all the necessary inspections that were possible with the resources available to him but no evidence has come to light confirming that a breach of data protection regulations has taken place.
In view of the foregoing, the FDPIC has decided to conclude the preliminary investigation into Mitto AG without making any recommendations.
Address for enquiries
Federal Data Protection and Information Commissioner (FDPIC), Tel. +41 58 464 94 10, info@edoeb.admin.ch
Publisher
Federal Data Protection and Information Commissioner
https://www.edoeb.admin.ch/edoeb/en/home.html