Penalty against car insurance
The French data protection authority CNIL imposed a fine of € 180,000 on an insurance company (Active Assurance).
Incident
The agency was contacted by one of the company’s customers when he found out that customer data on the website was not protected. By changing the URL, the affected person was able to access accounts of other customers. Through this process, he had insight into the data entered, copies of driver’s licenses, information about accidents, etc.
The customer noticed the technical defect after clicking on a link from a search engine and viewing another customer’s data.
Among others, the following data sets were affected:
- 137,776 Copies of driver’s license
- 119,940 Bank account records
- 119,517 Insurance quotes
- 36,068 Registration certificates
- 148,359 phone numbers and e-mail addresses
Immediately after notification, the data protection authority informed the company, which assured rapid processing.
After the insurance company declared the technical deficiency “resolved” with the data protection authority within 24 hours, the CNIL launched another investigation to examine the correct implementation.
In the process, the authority staff determined that the measures taken were inadequate. Furthermore, several other vulnerabilities were uncovered. For example, the company sent the passwords to customers in plain text via e-mail. In addition, customers were not advised to choose a strong, unique password.
Decision of the data protection authority
The multitude of technical errors, as well as the fact that basic concepts were disregarded (authentication of users) led to a fine of € 180.000,-.
In doing so, the authority noted that the company’s rapid response and extensive cooperation had had a mitigating effect on the penalty.
Entscheidungsdatum:
18.07.2019
Land:
France
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
144000
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 180,000,-
Violation of GDPR Paragraph:
32. Security of processing
Quelle:
Communication from the French data protection authority (French)