CNIL fines SERGIC 400,000 EUR (web site vulnerability)

Very interesting case, that needs some closer analysis.

The fine is about 0.9% of SERGIC’s annual turnover in 2017.

During the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows:
https: //www.crm.sergic .com / documents / upload / eresa / X.pdf
– where by changing X you could access another persons’s file.

SERGIC tries to argue that they shouldn’t have done that, etc.. – to no avail. CNIL observes that exploiting vulnerability does not require any particular technical expertise in computer science. CNIL also consider that the use of a script does not require any advanced skills to exploit this vulnerability.

(Should be good week-end reading.)

France/CNIL – Data breach – The French Conseil d’Etat lowers the amount of a fine imposed by the French Data Protection Authority

In a decision dated 17 April 2019, the Conseil d’Etat (the Supreme Administrative Court) confirmed a decision of sanction issued by the French Data Protection Authority (the CNIL) but reduced the amount of the sanction from €250,000 to €200,000.

This decision gives precious guidance: in case of a data breach, the implementation of corrective measures is an argument to obtain a reduction of a fine in case of further prosecution by the CNIL.

CNIL sanctions DARTY (100,000 Euro)

Interesting case – data breach due to ticket ID enumeration in a standard software URL (developed by a service provider) – CNIL sanctions data controller.

  • CNIL was informed in February 2017 of a security vulnerability in the URL, which would have allowed access to several thousand customer data of the company DARTY.
  • Online check by CNIL in March 2017 reveals security vulnerability in ,  a form allowing the company’s customers to submit a service request after-sale. Once the form has been filled in with an e-mail address and a password, a hypertext link corresponding to the registration number of the request allowed access to its follow-up. The identifier (ticket number) was contained in the URL as follows: XXX.
    By changing the ID number in this URL, an attacker would be able to access customer service request forms completed by other customers.
  • 912,938 files were potentially accessible. During the inspection,  7,417 of them  were downloaded for sampling. It was found that personal data of customers were accessible on cards, such as their surname, first name, postal address, e-mail address and their orders.At the end of the audit, the delegation contacted the company to inform it of the existence of this personal data breach.
  • On premise inspection by CNIL revealed that support form was developed by a service provider.
  • Controller should have checked access controls and tested for vulnerabilities.





[UK/India] – Health Company Fined by UK’s ICO

  • Subcontractor based in India to process sensitive personal data without adequate data processing / data transfer grounds
  • Lack of contractual definition of adequate technical and organisational measures in India
  • Sensitive personal data (with high severity) sent via unencrypted email
  • Sensitive personal data on  FTP server without restricted access controls
  • Patient found his/her data via Internet search

(from 2015) Rethinking Personal Data Breaches (EU)

So as the world stands still – and waits for GDPR to pass the European Parliament vote in a few days, and just before we are all hit by a wave of audit/certification/consulting firms selling their services – here’s a quick look at Personal Data Breaches.

According to Opinion 03/2014 of the Article 29 Working Party – which back in the days was just an opinion, but now gets quite a bit more muscle:

Most people think of a data breach as an event in which data is accessed by an authorized person, resold on the darknet, made public by some creant, etc..

The Article 29 Working Party took a much more holistic view – and includes loss of integrity and timely accessibility along with the loss of confidentiality.

Opinion 03/2014 gives examples of data breaches, and walks the reader through accessing the impact.  While the GDPR will provide us with more details and requirements (e.g. to notify within 72 hours), the Opinion does a good job illustrating the underlying thinking.

So quoting from the Opinion:

Case 1: Four laptop computers were stolen from a “Children’s Healthcare Institute”; they stored sensitive health and social welfare data as well as other personal data concerning 2050 children.

  • Potential consequences and adverse effects of the confidentiality breach:
    The first impact is a breach of medical secrecy: the database contains intimate medical information on the children which are available to unauthorized people. [..]
  • Potential consequences and adverse effects of the availability breach: 
    It may disturb the continuity of children’s treatment leading to aggravation of the disease or a relapse. [..]
  • Potential consequences and adverse effects of the integrity breach:
    The lost data may affect the integrity of the medical records and disrupt the treatments of the children. For example, if only an old back-up of the medical records exists, all changes to the data that were made on the stolen computers will be lost, leading to corruption of the integrity of the data. The use of medical records that are not up-to-date may disrupt the continuity of children’s treatments leading to aggravation of the disease or a relapse. [..]

So the overall paradigm is a bit different than elsewhere. – It will be interesting to see how many changes were made last minute to the GDPR, but assessments like the one above should be common place in 2018 and beyond.