Spotlight on adequate/reasonable protections to personal information – Part 1 – France.

CNIL fined a real estate company 400,000 EUR for failure to implement adequate protections to personal data in violation of GDPR.

In this case, the URLs on the company’s website were the problem. By changing a character, you could gain access to documents belonging to other individuals.

CNIL accessed the accounts of 9,446 different people with information including copies of identity cards, vital cards, tax notices, death certificates and marriage certificates, certificates of affiliation to Social Security, certificates issued by the family allowance fund, invalid pension certificates, divorce decrees, account statements, bank identity or rent receipts.

In all, 290,870 files were exposed due to this vulnerability. The absence of proper access control to personal data has been identified as one of the most widespread vulnerabilities and has already resulted in the issuance of numerous public financial penalties for similar acts.

The high fine was due to the nature of the vulnerability, number of records, nature of the data and time it took to remediate.