CNIL fines SERGIC 400,000 EUR (web site vulnerability)

Very interesting case, that needs some closer analysis.

The fine is about 0.9% of SERGIC’s annual turnover in 2017.

During the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows:
https: //www.crm.sergic .com / documents / upload / eresa / X.pdf
– where by changing X you could access another persons’s file.

SERGIC tries to argue that they shouldn’t have done that, etc.. – to no avail. CNIL observes that exploiting vulnerability does not require any particular technical expertise in computer science. CNIL also consider that the use of a script does not require any advanced skills to exploit this vulnerability.

(Should be good week-end reading.)

https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000038552658