Penalty against Bouygues Telecom
The French data protection authority CNIL has been particularly active since the General Data Protection Regulation came into force and has already imposed severe fines on national and international companies on several occasions – see here.
On December 27, the authority imposed a €250,000 fine on Bouygues Telecom for violations of the French Data Protection Act.
Previous story
With around 7,000 employees and over 17 million customers, the company is the third-largest telecommunications provider in France. In 2017, sales amounted to more than 5 billion euros and profit was put at 260 million euros.
Customers can access the contracts they have concluded and the associated invoices via the company’s web portal. Bouygues Telecom found that by simply changing the web address (URL), visitors could access other customers’ contracts and bills. This fact constitutes a data protection breach, which was reported by the company to the data protection authority. Already four days before, the authority was informed about this circumstance by a private person.
Technical cause
Basically, the company has properly developed the customer portal and access to foreign data is prevented by the system. However, in the course of the investigation, it was discovered that the website was taken offline about two years ago as part of a brand merger. In the course of the work, the security module was deactivated and not reactivated when the page was reactivated. As a result, customers’ personal data was unprotected for approximately two years.
Decision of the data protection authority
The French data protection authority imposed a fine of € 250,000 at the end of the investigation.
The main reason given was that the company had failed to take other measures to ensure that such an error would be detected. Safety tests carried out in between also did not bring the circumstance to light, as they were ineffective.
Originally, the authority planned a fine of €500,000, but this was eventually reduced due to Bouygues Telecom’s good cooperation.
It should be noted that the GDPR was not applied. Customers’ data was unprotected until March 2018, but the General Data Protection Regulation did not come into force until May.
Entscheidungsdatum:
27.12.2018
Land:
France
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
2 176 236
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 250,000,-
Violation of GDPR Paragraph:
unknown
Quelle:
Communication from the French data protection authority CNIL (French)