France’s CNIL Fines Data Processor and Data Controller Over Credential-Stuffing Attack

Fox Rothschild LLP
Contact

Fox Rothschild LLP

Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

In this case, the companies focused their response strategy on developing a tool to detect and block attacks launched from bots. However, the development of this tool took a year from the first attacks.

CNIL notes that other measures would have been preferable including:
  • limiting the number of requests allowed per IP address on the website
  • adding a CAPTCHA .

CNIL notes that the data controller must decide on the implementation of measures and give documented instructions to the data processor. But the data processor must also seek the most appropriate technical and organizational solutions to ensure the security of personal data, and offer them to the controller.

Details on the sanctions from CNIL.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.