Penalty against car insurance company
The French data protection authority CNIL imposed a fine of € 180,000 against an insurance company (Active Assurance).
The DPA was contacted by a client of the company when they found out that the customer data on the website was not protected. By changing the URL, the person concerned could access accounts from other customers. Through this process, he had insight into the entered data, driver’s license copies, information about accidents etc.
The technical defect was noticed by the customer after he had clicked on a link from a search engine and could see the data of different customer.
Among other things, the following data records were affected:
- 137,776 driver’s license copies
- 119,940 bank account records
- 119,517 insurance offers
- 36,068 registration certificates
- 148,359 telephone numbers and e-mail addresses
Immediately after the notification, the DPA informed the company, which promised a rapid solution to this issue.
After the insurance company declared the technical defect to be “resolved” within 24 hours, the CNIL launched another investigation to check its correct implementation.
The authorities found that the measures taken were inadequate. Furthermore, some other weaknesses were revealed. For example, the company sent the passwords to customers in plain text by e-mail. In addition, customers were not recommended to choose a strong, unique password.
Decision of the Data Protection Authority
The large number of technical errors, as well as the fact that basic concepts were disregarded (authentication of users) resulted in a fine of € 180,000.
The authorities noted that the company’s rapid response and comprehensive cooperation had had a mitigating effect.
Type of Issue:
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing