French Data Protection Fine for failure to take adequate security measures
CNIL fined FRANCE TRAVAIL, a national public administration institute. Hackers had managed to access France Travail’s information systems using a social engineering attack. CNIL concluded that the technical and organisational measures implemented to secure personal data were inadequate.
- Social Engineering attack: It is a technique that involves exploiting people’s trust or ignorance to obtain access. It is commonly done through phishing emails, fake calls (vishing), SMS/WhatsApp scams (smishing), impersonation on social media, or in-person deception.
- Adequate security measures:
- CNIL found that most of the appropriate security measures were identified in the impact assessment before commencing data processing.
- These identified measures were not implemented even though identified in the impact assessment.
- The account access authorisations to the advisers were defined too broadly which allowed hackers to access large volumes of data.
- Actions taken:CNIL took the following actions –
- Imposed a fine of 5 million euros.
- Ordered FRANCE TRAVAIL to justify the corrective measures with a precise implementation schedule.
- Pay penalty of 5000 euros per day.
