hundreds of thousands of contracts and invoices were accessible in a few clicks, without even needing to be an expert of programming. The French operator Bouygues Telecom has been sentenced Thursday to a fine of 250,000 euros of the National Commission for Computing and Freedom (Cnil) to have insufficiently protected the data from 2 million consumers to its brand, B&You. In fact, the telecom giant had “forgotten” to re-introduce a security feature on its website to ensure the security of sensitive data: by modifying a URL, it was possible to access, without password or id, to the contracts or invoices to any client. Two million people are affected.
The fault has been corrected
These documents include the last name, first name, address email address, mailing address, date of birth, characteristic of the telephone line, telephone number, statement of identity or details of the consumption, as reported in the media specialized in cyber security Zataz in march, when the discovery of the flaw. It was he who had seized the Cnil in march last, to conduct an inquiry, recalling that a pirate could very well automate the collection of documents and thus obtain valuable information on potential targets. The personal data are very popular on the black market: e-mail addresses and phone numbers can be sold to campaigns of phishing to scams. Associated with an address or details as signifiers that the names of relatives mentioned on the invoice, these data can also be used in identity theft, the targeting of advertising questionable… not forgetting, of course, the risks to the privacy of those who wish to have their address kept confidential (judges, inspectors, journalists, or celebrities).
During its investigation, the Cnil has discovered that this lack of security had an impact on the customers B&You for more than two years. It has made public the sanction and multiplies in its opinion, the comments on the lack of vigilance of the operator, who has not put in place a protective measure other than the authentication, and has not ensured that it is well effective during this long period of time. “After having been informed, the operator has quickly patched the vulnerability and the personal data of the customers were no longer freely accessible”, by contrast stresses the regulator. The sanction relates to the story being entirely taken place before the entry into application of the european regulation on the protection of personal data (RGPD), which explains the relatively small amount of the fine. Contacted, Bouygues Telecom claims to have carried out checks to see if the flaw had been exploited by internet users with malicious, and has not found that these data were circulated. The company will not prevent its customers, believing that the security incident is closed for nine months.