A fine of 180K euros for GDPR data breach imposed by CNIL
Active Insurances, has been fined by France’s data protection authority, the CNIL. The amount is 180,000 euros against Active Insurances, CNIL has said that “breached its obligation to secure personal data provided for by Article 32 of the [EU] General Data Protection Regulation.”
A customer alerted the CNIL in 2018 that he was able to access personal data of other customers, including their driver’s licenses, registration cards and bank identification records, from his personal account. The CNIL notified the company, which agreed to take corrective measures to protect its customers’ personal data.
The company informed the CNIL that measures had been taken. An on-site inspection was then carried out on the premises of the company. It has been found that:
- the measures taken were not sufficient to prevent referencing;
- the personal space login passwords, which the format was imposed by the company, corresponded to the date of birth of the customers, this format being also indicated on the login forms;
- after the creation of their account, the username and the password of connection were transmitted to the customers by email and mentioned clearly in the body of the message.
On the basis of the investigations carried out, the restricted training – organ of the CNIL responsible for imposing sanctions – considered that the company had breached its obligation to secure personal data (RGPD).
Restricted training considered that:
- the company should have ensured that every person wishing to access a document was entitled to consult it;
- SEO by search engines could have been avoided using a file “robot.txt” for example;
- the company should have required users to use stronger passwords and not transmit them in clear email.
The decision by the CNIL took into account the seriousness of the breach, because of the nature of the data and the documents in question (identity documents, information relating to infringements, bank details, etc.). It also took into account the number of people concerned, as the lack of security affected the accounts of several thousand customers and people who had terminated their contract with the company.