Data protection breach: payment provider Slimpay sanctioned
Slimpay is an approved payment institution that facilitates recurring payments on the internet. It has just been fined €180,000 by the CNIL for allowing free access to the data of 12 million people. The company has insufficiently protected users' personal data and failed to notify them of a data breach. The shoemakers are the worst fitted There is a particular form of irony in this sanction because the managing director of Slimpay, published in October 2021 an opinion piece stressing the need to call on trusted providers in terms of protection against fraud for both customers and merchants. “For the consumer, it is necessary to check the reliability and security of the platforms and websites used,” he wrote. "For e-merchants, the protection of their buyers' personal data and the security of their sites are the priority areas to be taken into consideration" warned the CEO. An attack can occur at any time by exploiting vulnerabilities. "There is always a hacker ready to try the scam of the century" he continued. The manager warned against “ill-intentioned people when they use so-called 'classic' fraud such as identity theft, phishing, or even vishing (telephone phishing)”. "In a context where more and more fraudulent tactics are to be deplored, protecting sensitive data has become essential," he advised. The data was probably not used fraudulently
Faced with the Cnil, the company Slimpay defended itself by indicating that the data were probably not used fraudulently. The Cnil still retains a breach of Article 32 of the GDPR because it considers that the absence of proven damage has no impact on the existence of the security defect.
HOW TO STICK TO A DIET❗❗ Watch today's episode where we will share tips on how you can stick to a diet plan.… https://t.co/mcTtkzp0wH
— ColawFitness Wed Aug 26 23:10:23 +0000 2020
The Cnil also noted a breach of the obligation to inform the persons concerned of a data breach according to article 34 of the GDPR. The Cnil considers that the risk associated with the breach should be considered high given the nature of the data and the volume involved since 12 million people are affected. These data include banking information and the possibility of identifying people. This has possible consequences for the persons concerned with risks of phishing or identity theft. Slimpay should therefore have informed everyone concerned, which it did not do.
It all started with an internal research project launched in 2015. Slimpay used the personal data contained in its databases. When the research project ended in July 2016, the data remained stored on a server, which was freely accessible from the internet and which was not subject to any particular security procedure. It wasn't until February 2020 that Slimpay became aware of the data breach, which affected around 12 million people. Access to data possible for 4 years During an on-site inspection in 2020, the CNIL noted that access to the server used for the research in question was not subject to any security measures. It was possible to access it from the internet for 4 years between November 2015 and February 2020. Civil status data (title, surname, first name), postal and email addresses, telephone numbers and bank information BIC and IBAN of more than 12 million people were thus compromised. Last point, Slimpay failed in the obligation to regulate, by a formal legal act, the processing carried out by its subcontractors according to article 28 of the RGPD . Indeed, some of the contracts concluded by Slimpay with its service providers do not contain all the clauses ensuring that these subcontractors undertake to process personal data in accordance with the GDPR. Article 28-3 of the GDPR lists several obligations that must be included in contracts. Some of the contracts do not even contain any of these mentions.
Those affected by the data breach were located in several countries of the European Union. The Cnil therefore cooperated with the supervisory authorities of four other countries, Germany, Spain, Italy and the Netherlands.
Key information on this subject
Data Governance 4-Step Roadmap
Data governance in practice
If basic business questions are unanswered in your company, you are facing a data governance problem. The consulting firm Artefact accurately describes the 4 levels of progress towards real data governance and the mistakes not to make in the white paper "Data governance: experience in the field".I consult the white paper