Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

In this case, the companies focused their response strategy on developing a tool to detect and block attacks launched from bots. However, the development of this tool took a year from the first attacks.

CNIL notes that other measures would have been preferable including:
  • limiting the number of requests allowed per IP address on the website
  • adding a CAPTCHA .

CNIL notes that the data controller must decide on the implementation of measures and give documented instructions to the data processor. But the data processor must also seek the most appropriate technical and organizational solutions to ensure the security of personal data, and offer them to the controller.

Details on the sanctions from CNIL.