DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

French watchdog fines Bouygues 250,000 euros for data security breach

Posted on December 27, 2018 by Dissent

Reuters reports that the CNIL has fined the Parisian telecom, but they don’t provide any real details as to what happened. But here’s a translation, via Google, of the CNIL’s press release:

In March 2018, the CNIL received a report informing it of the existence of a security incident which led to making freely accessible the personal data of customers of the B & You brand, held by BOUYGUES TELECOM. In the following days, the latter notified the data breach to the CNIL.

A check was made in the premises of the operator. This check confirmed the existence of a vulnerability allowing access to contracts and invoices of B & You customers by simply modifying a URL address on the BOUYGUES TELECOM website. This security flaw has impacted the data of more than two million B & You customers for more than two years. 

After being informed, the operator quickly corrected the vulnerability and the personal data of the customers were no longer freely accessible.
The restricted training of the CNIL imposed a financial penalty of 250 000 euros, considering that the company had breached its obligation to ensure the security of the personal data of users of its site, in accordance with Article 34 of the the law Informatique et Libertés .


Restricted training found that the security defect originated in the failure to reactivate on the site, after a test phase, the authentication function in the customer area which had been deactivated for the sole purpose of these tests . However, it considered that it was up to the company to be particularly vigilant as to the effectiveness of its authentication mechanism, given its choice not to put in place additional security measures.


The restricted training took into account the high reactivity of the operator in the resolution of the security incident as well as the numerous measures put in place by the company to limit its consequences.


The sanction imposed by the restricted training concerns facts that took place entirely before the entry into force of the European regulation on the protection of personal data.

No related posts.

Category: Business SectorCommentaries and AnalysesNon-U.S.Of Note

Post navigation

← Four months after disclosing breach, Adams County, Wisconsin notifies HHS
BevMo notifying thousands of customers after malware compromise of ecommerce site →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.