CNIL - Not public (27/01/2021)

From GDPRhub
CNIL - Not public (27/01/2021)
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Published: 27.02.2021
Fine: 150000 EUR
Parties: n/a
National Case Number/Name: Not public (27/01/2021)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: Roka

The French DPA (CNIL) imposed a €150,000 fine on an undisclosed data controller operating an online shopping for failing to properly secure personal data (Article 32 GDPR). For almost two years the controller suffered several "credential stuffing" attacks and failed to detect or block them. The CNIL also imposed a € 75,000 fine on the data processor.

English Summary[edit | edit source]

Facts[edit | edit source]

Between June 2018 and January 2020, the French DPA (CNIL) received dozens of data breach notifications concerning a shopping website used by millions of customers. The CNIL decided to investigate the owning company (controller) and the processor in charge of managing the site.

The investigation revealed that the controller was developing a tool to detect and block credential stuffing attacks but did not implement any temporary measures to prevent further attacks from succeeding. As a result, personal data linked to about 40000 different customers were made accessible to third parties.

Credential stuffing is a type of attack where an assailant tries to login to a service by using in bulk logins/passwords retrieved from a previous data breach.

Dispute[edit | edit source]

Does taking one year to implement corrective measures following a data breach violates Article 32 GDPR ?

Holding[edit | edit source]

The CNIL ruled that the controller and its processor did not act diligently in implementing corrective measures. For this reason, the French DPA imposed a €150000 fine on the controller.

The DPA also ruled that even though the data controller is responsible for providing the processor with documented instructions on the measures to be taken, the processor must search for the appropriate measures as well and propose them to the controller. As a result, the CNIL imposed a 75000€ fine on the processor as well.

The CNIL underlined that the controller could have implemented quick measures to block further credential stuffing attacks, such as capping the number of login requests coming from the same IP adress or using a CAPTCHA.

Comment[edit | edit source]

As the full decision of the CNIL was not made publicly available, this article is a summary of the press release published by the CNIL on its website.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

The CNIL's restricted session recently sanctioned a data controller and its processor by 150,000 euros and 75,000 euros for failing to take satisfactory measures to deal with attacks by credential stuffing on the data controller's website.

Between June 2018 and January 2020, the CNIL received several dozen notifications of violations of personal data in connection with a website from which several million customers regularly make purchases. The CNIL decided to carry out checks with the data controller and its subcontractor, which was entrusted with the management of this website.

During its investigations, the CNIL found that the website in question had suffered numerous waves of attacks of the credential stuffing type. In this type of attack, a malicious person retrieves lists of identifiers and passwords "in clear" published on the Internet, usually following a data breach. Assuming that users often use the same password and username (the e-mail address) for different services, the attacker will use "bots" to try to log on to a large number of sites. When authentication is successful, this allows the attacker to see the information associated with the accounts in question.

The CNIL has noted that attackers have been able to read the following information: name, first name, email address and date of birth of customers, but also number and balance of their loyalty card and information related to their orders.
Insufficient security measures

The Restricted session - the CNIL body responsible for imposing sanctions - considered that the two companies had failed in their obligation to preserve the security of customers' personal data, provided for in Article 32 of the RGPD.

Indeed, the companies were slow to put in place measures to effectively combat these repeated attacks. They had decided to focus their response strategy on developing a tool to detect and block attacks launched from robots. However, the development of this tool took a year from the first attacks.

In the meantime, several other measures with faster effects could have been considered to prevent new attacks or to mitigate the negative consequences for people, such as :

- Limiting the number of requests allowed per IP address on the website, which could have helped to slow down the rate at which attacks were carried out ;
- the appearance of a CAPTCHA on the first attempt to authenticate users on their account, which is very difficult for a bot to circumvent.

As a result of this lack of diligence, the data of approximately 40,000 website customers was made available to unauthorized third parties between March 2018 and February 2019.

Sanctions imposed by the restricted formation

As a result, the restricted formation pronounced two separate fines - 150,000 euros against the data controller and 75,000 euros against the processor - in respect of their respective liability. Indeed, it stressed that the data controller must decide on the implementation of measures and give documented instructions to its processor. However, the processor must also seek the most appropriate technical and organizational solutions to ensure the security of personal data and propose them to the data controller.

The Restricted session has not decided to make these deliberations public. Nevertheless, it wishes to communicate on these decisions to alert professionals to the need to reinforce their vigilance concerning attacks by credential stuffing, and to develop, in conjunction with their subcontractor, sufficient measures to guarantee the protection of personal data.