Very interesting case, that needs some closer analysis.
The fine is about 0.9% of SERGIC’s annual turnover in 2017.
During the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows:
https: //www.crm.sergic .com / documents / upload / eresa / X.pdf
– where by changing X you could access another persons’s file.
SERGIC tries to argue that they shouldn’t have done that, etc.. – to no avail. CNIL observes that exploiting vulnerability does not require any particular technical expertise in computer science. CNIL also consider that the use of a script does not require any advanced skills to exploit this vulnerability.
(Should be good week-end reading.)
incl. completed online inspection of 172 wordpress web sites planned, e.g. inspections around data deletion in SAP, questionnaires, detailed expectations on controls, ..
In 2012, the Bavarian DPA scanned German web sites for the privacy compliant use of Google Analytics.
The DPA checked
- if a written processing agreement had been put in place with Google,
- if the privacy notice on the web site was transparent on the use of Google Analytics and the users’ option to avoid being tracked
- if the Google Analytics’ “anonymization feature” was enabled in the web site’s source code
13.404 Webseiten had been tested 2.371 companies were contacted for shortcomings.
More information (in German) on https://www.lda.bayern.de/de/google_analytics.html