CNIL imposes fine of 225,000 euros

Data controller and its processor have been fined 225,000 euros by the French data protection authority for breaching security requirements related to credential stuffing.

On January 27, 2021, the French data protection authority announced that it had fined a data controller €150,000 and its processor €75,000. Both had failed to take adequate security measures to protect its customers’ personal data against credential stuffing attacks on the Data Controller’s website.

Meanwhile, the names of the sanctioned companies are not known because CNIL chose not to make its decisions public.

Following several reports of data breaches on the data controller’s website between June 2018 and January 2020, CNIL undertook investigations into the data processing activities of the company concerned. In addition, the processing practices of the involved service provider (data processor) were also examined. The affected website serves several million customers to make online purchases.

Vulnerability to credential stuffing attacks

Investigations revealed that the affected website was the victim of numerous credential stuffing attacks. This kind of data breach involves using credentials of users that the attacker found on the dark web. The attacker exploits the fact that many users use the same password and username for different web services. With the help of different programs, the attacker then launches login requests on several websites at the same time. In the worst case, the attacker can then view the account information and misuse the respective data for his own purposes. In this case, data such as first and last name, email address, date of birth, customer card number and credit balance as well as details of orders placed on the website were affected. In the period between March 2018 and February 2019, around 40,000 customer accounts were allegedly made accessible to unauthorized third parties.

The investigation rather revealed that the data controller and the service provider were also at fault. The data controller and the data processor had failed to take precautions through appropriate technical and organizational measures to prevent or mitigate such attacks. According to the authority, both companies had delayed too long to implement measures to effectively combat repeated credential stuffing attacks. Although the companies had decided to detect and block the attacks by developing a specific tool, this solution was not developed until a year after the initial attacks. The companies should have used this year to take further measures. For example, it would have been possible to limit the number of requests allowed per IP address on the website or to use a CAPTCHA when users first try to log in to their accounts.

Controllers are required by Article 32 of the GDPR to protect the security of customers’ personal data as best they can. It is therefore not enough to hold out the prospect of security measures. If an attack on user data takes place, remedial measures must be taken as soon as possible.

Sanctions

CNIL decided to impose a fine on both the data controller and the data processor. It was emphasized that the data controller, must implement appropriate security measures and provide documented instructions to its data processor. At the same time, the data processor itself must work out the most appropriate technical and organizational solutions to ensure data security and propose these solutions to the data controller.