CNIL Fined Slimpay For its Lack of Security
In the midst of the holiday season, the French Data Protection Authority CNIL issued an administrative sanction to a French company operating in several countries in Europe offering payment solutions.
During summer 2015, Slimpay launched a research program using their database of the payers held on behalf of their clients. Once the research completed, they failed to delete the database. Data was left on an unsecured system accessible online.
Breach of at least two processing principles: data minimisation and storage limitation. Possibly data accuracy as part of the data stored would have become inaccurate after time. Purpose limitation could initially be justified as increasing the securing of the data could justify the operation although it’s unclear if they needed to research on the entire data base of more than 12 million individuals.
On February 14th 2020, they were alerted by one of their clients concerning the vulnerability of their server. They immediately disconnected the database. February 17th 2020 they have notified the data breach to the CNIL, followed by further detailed notifications in February the 20th.
The breach affected the data of 12 million clients’ data including bank BIC and IBAN numbers.
It’s only on October the 21st, 8 months after the initial notification, that the CNIL enquired about their notifications to data subjects.
The case having cross border elements, the CNIL played the lead authority as the company’s HQ is based in France.
I note that the CNIL mentioned ‘aucune objection pertinente et motivée’ (no relevant or reasoned objection) from concerned DPAs was formulated.
It was accepted that in the specific context of this internal research, company Slimpay was the data controller.
The CNIL made a series of observations retaining liability of Slimpay for the lack of compliant data processing agreements (Art 28-3 GDPR), the obligation of securing the data (Art 32 GDPR) and absence of data subject notification.
- Lack of data processing agreement art 28-3 GDPR
Every and each sub processing has to be compliant with the requirements of article 28 GDPR in order to ensure a compliant processing of the data.
Art 28-4 : a data processor using a sub processor on behalf of the data controller has the same liabilities as what has been fixed in the original data processing agreement.
When the sub-processor does not comply with its obligations the initial processor’s liability is engaged.
The CNIL considered a simple questionnaire sent to the sub-processor, without any proof of a response, did not fulfil the requirements of art 28 para 3 and 4.
Additionally, several contracts passed between the company and its sub-processors did not contain all the required clauses such as the type of data and rights and obligations of the controller. (CNIL has published the DPA clauses 30 June 2021, modifying the document published in 2017)
The CNIL logically considered that the produced amendment to the contract signed in July 2021 was precisely a proof in itself that the company was not compliant at the time it was investigated and it’s still not fully compliant.
Something to remember whenever you use a third party to share personal data with, make sure you assess their GDPR compliance and put in place appropriate DPAs. This is a requirement for any processor such as an IT supplier or any kind of data processing tools.
2. On the obligation to ensure the security of the data
The CNIL, based on article 32 GDPR, taking account of the risks involved,
- First on the lack of appropriate security measures
The database was used in the context of tests measuring fraud resistance between 2015 and 2016. The database then was stored on an insecure server. It was a vigilant client that warned the company. The ongoing security vulnerability was compared to a case previously ruled by the higher administrative court, Conseil d’Etat, on March 2021 concerning Futura Internationale.
Access to the server were not restricted. Always check if you have correctly limited access to data to the strict minimum.
Vainly, Slimpay argued a human error more than a weakness of his security system.
In fact, the server was accessible via an URL with an easily identifiable IP when using a hoovering software available online. There was no server logging to identify unauthorised access to servers as recommended by ANSSI to detect potential intrusions and track fraudulent access.
Additionally, the database was stored in clear on the server, visible with any text edit tool.
Therefore, the absence of measures of security of the server and access limitation has made the servers easily accessible from the internet.
It worth pointing that the CNIL did considered irrelevant the fact that the data had been accessed or not, the only fact that the data was easily accessible to unauthorised readers was deemed sufficient.
Slimpay argued the security flaw was not exploited as no one had complained about any misuse of the personal data. For the CNIL, even in the absence of proof of access, Slimpay has been liable for lack of security measures and risks of fraudulent use were real. Notwithstanding an actual damaged caused to data subjects, the lack of security is in itself a breach of article 32. A large number of 12.478.819 European citizens date of birth, postal and email addresses, telephone number and bank information (BIC/IBAN) have been compromised.
This is a very important point to underline as article 82 GDPR allows civil compensation for non-material damage while courts have been too shy to allow compensation for potential damages. Putting at risk data should be in itself a breach of data as rarely data subjects can prove immediate harm after data are compromised.
For the CNIL the risk of data misuse and phishing are real, including for an ID theft. (see below the ID and financial theft cited by the EDPB).
The argument of a negligent employee was not retained as in any case it’s the company’s duty to ensure the security of the data.
–> Also the Danish DPA announced it found that a public entity sent personal data, including sensitive personal data and children’s personal data, via unencrypted email. The DPA ruled that the public entity did not implement the necessary security measures, taking into account the amount and type of information being
Here’s the decision
- On the password weakness
Clients’ access were protected by an obsolete hash SHA-1 that could be simply one word.
Slimpay objected this was a partially incorrect information initially communicated as the new interface would use Bcrypt recommended by the CNIL a brut force interface with multi factor authentication requiring a 10-128 character password. CNIL accepted Slimpay’s evidences.
- Absence of data subjects notifications
The CNIL considered that in view of the nature of the personal data, the volume of data subjects, the ease of identifying the persons affected by the breach and the possible consequences for the data subjects, the risk associated with the breach could be considered high and that notification to data subjects should have been made.
The CNIL rejects Slimpay’s argument that they initially processed the data on behalf of clients or lack of sufficient risk. The risks were real: phishing, ID theft and associated risks. They had the email addresses of half of the data subjects and could have made a public information.
Therefore, the CNIL concluded that Slimpay had been in breach of article 34 GDPR.
On the amount of the fine
The fine of 180.000 € is relatively mild comparing to the margin of 4% of global turnover or 20 million €.
Based on the article 83 GDPR, taking account of the length of data breach, the number of individuals concerned and the sensitivity of the data, especially as for IBAN numbers.
Slimpay argued they have diligently collaborated with the CNIL, notified within 72 hours
The CNIL, based on a document issued by the Banque de France in “paiements et infrastructures de marché à l’ère digitale » reminds that IBAN numbers can be used in financial frauds. EDPB has qualified this kind of data of ‘highly personal’. Therefore, Slimpay should have deployed exceptional vigilance for securing such data.
Taking account of the duration of the breach, the lack of security measures, despite an immediate reaction and their collaboration, the negligence was of particular gravity (lack of logging of access and access to the server). Additionally, they had omitted the notifications article 34 to data subjects.
Considering the financial situation of the company and its net benefits in 2019 and 2020 (not mentioned), 180.000 € was justified.
Considering the number of victims concerned by the breach, the decision was made public.
This is for the administrative sanction.
Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage.
Art 79 (1) of the GDPR provides:
“Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.”
Ultimately, there is the criminal offense of not complying with the obligations of article 32 GDPR. See below the various laws applying in France
Here is an example of data breach that has led into phishing. Cybercriminals accessed the legal firm’s inbox to extract then reproduce personal data from previous email exchanges left on the inbox. Then the data reproduced was sent as a chain of email including a malware attachment. Ikea and Fujifilm were recently victims of similar attacks along with several notaires in France. In this case, the data controller had to be reminded after several warnings, finally waken up to remember they a DPO, to notify the data breach to the CNIL. They are still denying data subjects would have occurred any risk despite a large amount of personal data – including IDs, bank details and IBAN numbers being stored without any appropriate security measures on their inbox. These being legal professionals bound by confidentiality of the documents, their liability is aggravated by such negligence, despite client’s warning on the sensitivity of the documents exchange.
One law firm involved persists to exchange these sensitive documents via mainstream application Wetransfer, a processor that only offers data protection agreement article 28 to his professional accounts, which lacks transparency to third parties. Additionally, Wetransfer uses AWS cloud storage which constitute a data transfer to the US in breach of Chapitre-V GDPR since the invalidation of the Privacy Shield. Currently the CNIL is instructing the case and a criminal complaint to the French Prosecutor is investigating as well.
Despite the client’s warning about the particular sensitivity of the personal and financial data included in the documents. They had refused encryption despite all recommendations by the CNIL and any IT security in breach of article 32 GDPR. They took a long time and several requests before they notify the breach to the CNIL, so far no notification to data subjects as they consider there has been no risk. They would continue to exchange data by simple email attachment if they were not reminded their DPO had mentioned they use secured means of document exchange. The other law firm plays with Wetransfer links to escape the respect of fair communications.
To demonstrate how a data breach can cause harm, here is one example of how things can go wrong following a data breach of personal data mentioned in the newly adopted version of the European Data Protection Board‘s Guidelines 01/2021 on Examples regarding Personal Data Breach Notification under the GDPR :
Lawyers or other legal professionals bound by attorney client privilege or confidentiality should be more careful when handling documents containing personal or financial data. This should be a reminder that securing personal data is not optional, especially for professionals handling sensitive data or subject to confidentiality. Lawyers and legal professions are being increasingly targeted by cyber criminals. According to the security agency ANSSI, 2021 saw an increase of 300% in ransomware attacks. Here are curated some of the major cyberattacks.
Following closely, as it seems like the French CNIL is starting the year 2022 with vigour, a sanction against the French mobile company Free. Here resumed by the great Jimmy Orucevic :
CNIL fines FREE MOBILE for failure to respond to inquiries from data subjects, false invoices, e-mailing of passwords in plain text –> € 300’000
The french DataProtection authority has received many complaints concerning the difficulties encountered by individuals in having responses to their requests for access and to object to receiving commercial prospecting messages from the French mobile telephone operator FREE MOBILE.
The CNIL retained 4 breaches of the #GDPR against the company:
– a failure to respect the right of access of individuals regarding their personal data (Art. 12 and 15 of the GDPR), since the company did not respond to the requests made by the complainants within the time limits;
– a failure to respect the right to object of the persons concerned (Art. 12 and 21 of the GDPR), since the company did not take into account the requests of the complainants that no more commercial prospecting messages be sent to them;
– a breach of the obligation to ensure the security of personal data (Art. 32 of the GDPR), since the company transmitted by email – in clear text – the passwords of users when they subscribed to an offer with FREE MOBILE, without these passwords being temporary and the company requiring them to be changed.
This fine takes into account the size and the financial situation of the company. Its publicity is justified by the need to reiterate the importance of responding to requests for exercising the data subject’s rights and ensuring the security of users’ data.
decision accessible here[Hashtags removed]
Securing data is a duty. A password in clear in an email is a no no, as much as personal or confidential documents exchange by unencrypted emails or transfer of documents in the hands of third party apps without assessment and a Data Protection Agreement article 28 GDPR.
Renforcer la sécurité de toute transmission de données à caractère personnel.
La messagerie électronique ne constitue pas un moyen de communication sûr pour transmettre des données personnelles, sans mesure complémentaire. Une simple erreur de manipulation peut conduire à divulguer à des destinataires non habilités des données personnelles et à porter ainsi atteinte au droit à la vie privée des personnes. En outre, toute entité ayant accès aux serveurs de messagerie concernés (notamment ceux des émetteurs et destinataires) peut avoir accès à leurCNIL’s guidance
“reinforcing the security of any transmission of personal data. E-mail is not a secure means of communication for transmitting personal data without further action. A simple error in handling may lead to the disclosure of personal data to unauthorised recipients and thus infringe on the right to privacy of individuals. In addition, any entity with access to the relevant mail servers (including those of the senders and recipients) may have access to their content.”