The French data protection authority, the CNIL, continues to fine organizations for failing to adopt what the CNIL considers to be fundamental data security measures. In May 2019, the CNIL imposed a EUR 400,000 fine on a French real estate company for failing to have basic authentication measures on a server and for retaining information too long. This is the second fine by the CNIL under the EU General Data Protection Regulation 2016/679 (GDPR) after the one against Google. The decision is among many pre-GDPR fines imposed by the CNIL for failing to meet security standards, and shows that data security continues to be a high enforcement priority for the CNIL.
French real estate company Sergic operated a website where individuals could upload information about themselves for their property rental applications. Responding to a complaint by an applicant, the CNIL investigated Sergic in September 2018, as it appeared that applicants’ documents were freely accessible without authentication (by modifying a value in the website URL). The CNIL confirmed the vulnerability and found that almost 300,000 documents were accessible in a master file containing information such as individuals’ government issued IDs, Social Security numbers, marriage and death certificates, divorce judgments, and tax, bank and rental statements. The CNIL also discovered that Sergic had been informed of the vulnerability back in March 2018 but did not fix it until September 2018.