Reuters reports that the CNIL has fined the Parisian telecom, but they don’t provide any real details as to what happened. But here’s a translation, via Google, of the CNIL’s press release:
In March 2018, the CNIL received a report informing it of the existence of a security incident which led to making freely accessible the personal data of customers of the B & You brand, held by BOUYGUES TELECOM. In the following days, the latter notified the data breach to the CNIL.
A check was made in the premises of the operator. This check confirmed the existence of a vulnerability allowing access to contracts and invoices of B & You customers by simply modifying a URL address on the BOUYGUES TELECOM website. This security flaw has impacted the data of more than two million B & You customers for more than two years.
After being informed, the operator quickly corrected the vulnerability and the personal data of the customers were no longer freely accessible.
The restricted training of the CNIL imposed a financial penalty of 250 000 euros, considering that the company had breached its obligation to ensure the security of the personal data of users of its site, in accordance with Article 34 of the the law Informatique et Libertés .
Restricted training found that the security defect originated in the failure to reactivate on the site, after a test phase, the authentication function in the customer area which had been deactivated for the sole purpose of these tests . However, it considered that it was up to the company to be particularly vigilant as to the effectiveness of its authentication mechanism, given its choice not to put in place additional security measures.
The restricted training took into account the high reactivity of the operator in the resolution of the security incident as well as the numerous measures put in place by the company to limit its consequences.
The sanction imposed by the restricted training concerns facts that took place entirely before the entry into force of the European regulation on the protection of personal data.