The French Data Protection Authority (the “CNIL”) announced (in French) on January 29, 2021 that it was imposing a fine of  a €150,000 on a data controller, and €75,000 on its data processor for failure to implement adequate security measures. The CNIL found that inadequate security resulted in credential stuffing attacks on the data controller’s websites. In its decision, the CNIL did not reveal the names of the companies sanctioned.

The CNIL received several dozen personal data breach notifications from a website that individuals routinely use to make online purchases. In investigations of both the company responsible for processing the data through the website (the data controller) and the service provider operating the website on behalf of the company (the processor), the CNIL found that the site in question had been a victim of numerous credential stuffing attacks. Credential stuffing occurs when a bad actor uses lists of login credentials found on the dark web following data breaches. The CNIL found that the attackers could access account information that included: first and last name, email address, date of birth, loyalty card number, and balance and details of orders placed on the site. Between March 2018 and February 2019, approximately 40,000 customer accounts were accessible to unauthorized third parties.

The CNIL found that the data controller and the data processor failed to protect the security of the customers’ personal data in violation of Article 32 of the EU General Data Protection Regulation (the “GDPR”). It found that both controller and processor waited too long to implement measures to effectively address repeated credential stuffing attacks. While the companies eventually developed a tool to detect and block the attacks, the tool was not developed until one year after the attacks began.

In the meantime, the CNIL found that companies did not implement other available measures that would have provided more immediate security benefits. These include (1) limiting the number of requests authorized per IP address on the website and (2) using a CAPTCHA when users first attempt to log into their accounts.

The CNIL imposed a fine on both the data controller and the data processor, emphasizing that the data controller must implement appropriate security measures and must provide and document security instructions to its data processor. It noted that the data processor also must identify technical and organizational solutions to promote data security and must propose those solutions to the data controller.