Presentation
A few days after imposing a €400,000 fine on Uber, the CNIL has now fined Bouygues Telecom €250,000 for “failure to ensure the security of customer data”.
CNIL: Contracts and invoices accessible without control
In March, following a complaint filed by the cybersecurity news outlet Zataz, an investigation by the data protection authority revealed that, for two years, several hundred thousand contracts and invoices belonging to two million B&You customers were accessible simply by modifying the URL.
The company will not notify its customers, maintaining that the security incident has been closed for several months, and that the company demonstrated a high level of responsiveness, according to the CNIL (French Data Protection Authority).
The CNIL determined that the security breach stemmed from the failure to reactivate the customer authentication function on the website after a testing phase. This function had been deactivated solely for the purposes of these tests.
Personal data: A sanction outside the scope of the GDPR
The sanction imposed by the CNIL’s restricted panel was based on Bouygues Telecom’s failure to fulfill its obligation to ensure the security of users’ personal data on its website, in accordance with Article 34 of the French Data Protection Act.
Similar to the sanction against Uber, the amount of the fine may seem lenient given that the events occurred before the General Data Protection Regulation (GDPR) came into effect.
