CNIL fines SERGIC 400,000 EUR (web site vulnerability)

Very interesting case, that needs some closer analysis.

The fine is about 0.9% of SERGIC’s annual turnover in 2017.

During the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows:
https: //www.crm.sergic .com / documents / upload / eresa / X.pdf
– where by changing X you could access another persons’s file.

SERGIC tries to argue that they shouldn’t have done that, etc.. – to no avail. CNIL observes that exploiting vulnerability does not require any particular technical expertise in computer science. CNIL also consider that the use of a script does not require any advanced skills to exploit this vulnerability.

(Should be good week-end reading.)

https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000038552658

Germany/Bavaria: DPA scanning for web sites for privacy-compliant Google Analytics use

In 2012, the Bavarian DPA scanned German web sites for the privacy compliant use of Google Analytics.

The DPA checked

  • if a written processing agreement had been put in place with Google,
  • if the privacy notice on the web site was transparent on the use of Google Analytics and the users’ option to avoid being tracked
  • if the Google Analytics’ “anonymization feature” was enabled in the web site’s source code

13.404 Webseiten had been tested 2.371 companies were contacted for shortcomings.

More information (in German) on  https://www.lda.bayern.de/de/google_analytics.html