Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL fines data processor €75,000 for inadequate measures to deal with credential stuffing attacks

The French data protection authority ('CNIL') announced, on 27 January 2021, its decision to fine a data processor €75,000 for their failure to implement adequate measures to deal with credential stuffing attacks on their data controller's website. In particular, CNIL noted that its investigation of the data controller's website had indicated that it had suffered numerous credential stuffing attacks involving stolen account credentials, such as email addresses, and their subsequent use by attackers to access account information, related to customer orders and loyalty card balances. Further to this, CNIL found that the data controller and processor had failed to take adequate measures to ensure the security of customers' personal data, thus acting in violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). More specifically, CNIL considered that the data controller and processor had been slow in creating a tool for detecting and blocking cyber attacks, as well as noted that they had failed to take measures, such as using CAPTCHA for user account authentication or limiting the number of requests per IP address. In addition, in deciding the fine, CNIL noted the data processor's obligation to find the most appropriate technical and organisational security measures and to offer them to its controller.

You can read the announcement, only available in French, here.