CNIL fined a knowledge controller and its processor with a effective of 225,000 euros for breach of safety associated to filling in credentials
On January 27, 2021, the French Data Protection Agency (“CNIL”) announced (in French) that it had fined a controller € 150,000 and its data processor € 75,000 for failing to comply with adequate security measures the personal data of customers from attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the names of the sanctioned companies.
Between June 2018 and January 2020, the CNIL received several dozen notifications of personal data breaches in relation to a website where several million customers regularly shop online. The CNIL decided to not only investigate the data processing company through the website (i.e.., the data controller), but also the service provider who operates the website on behalf of this company (i.e..as a data processor). During its investigations, the CNIL found that the site in question had been the victim of numerous credential-filling attacks. Credential filling occurs when a malicious person uses lists of credentials found after data breaches on the dark web. Given that website users often use the same password and username (their email address) on different online services, the attacker uses robots to attempt multiple login requests on different websites. If the login is successful, the attacker can verify the account information. In the present case, the CNIL found that the attackers had access to the following account information: first and last name, email address, date of birth, loyalty card number and account balance, and details of the orders placed on the website. A total of around 40,000 customer accounts were made accessible to unauthorized third parties between March 2018 and February 2019.
The decisions of the CNIL
The CNIL’s sanctioning committee (the “Restricted Committee”) determined that the data controller and the data processor ensure the security of customers’ personal data in accordance with Article 32 of the EU General Data Protection Regulation (the “GDPR”) . The Restricted Committee believes that both companies have waited too long to take action to effectively combat repeated credential filler attacks. The companies decided to develop a tool to detect and block attacks by robots. However, this tool wasn’t developed until a year after the first attacks. In the meantime, companies could have considered several other measures that would have brought more immediate benefits to deter new attacks or mitigate negative consequences for affected customers, such as: B. (1) limit the number of requests authorized per IP address to the website; and (2) use a CAPTCHA when users first try to log into their accounts.
The CNIL’s Restricted Committee has decided to fine both the data controller and the data processor. The CNIL’s Restricted Committee emphasized that the data controller must decide to take appropriate security measures and give his data processor documented instructions. However, the data processor must also identify the most suitable technical and organizational solutions to ensure data security and propose these solutions to the data controller.