France’s CNIL Fines Data Processor and Data Controller Over Credential-Stuffing Attack

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

Data Processors beware.

France’s CNIL issued an enforcement action against both a data controller (150,000 EUR) and a data processor (75,000 EUR) for inadequate information security measures leading to a credential-stuffing attack.

The attackers were able to take the: last name, first name, email address, DOB, loyalty card balances and orders of approximately 40,000 individuals.

In this case, the companies focused their response strategy on developing a tool to detect and block attacks launched from bots. However, the development of this tool took a year from the first attacks.

CNIL notes that other measures would have been preferable including:
  • limiting the number of requests allowed per IP address on the website
  • adding a CAPTCHA .

CNIL notes that the data controller must decide on the implementation of measures and give documented instructions to the data processor. But the data processor must also seek the most appropriate technical and organizational solutions to ensure the security of personal data, and offer them to the controller.

Details on the sanctions from CNIL.

[View source.]

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide