The limited training of the CNIL has recently sanctioned a data controller and his data processors for an amount of 150.000 euros and 75.000 euros because they have not implemented adequate measures in order to face with credential stuffing attacks on the website of the data controller.
Between June 2018 and January 2020, the CNIL has received news about personal data protection breaches of a website in which millions of clients shall regularly shop. The CNIL has decided to do controls on the data controller and its data processors, to whom has been entrusted the website management.
During its investigation, the CNIL has noticed that the website has suffered of numbers of credential stuffing attacks. In this type of attack, an hacker restores clear lists of ID and password published on the net, generally after a data breach. If we assume that users always use the same password and the same ID (email address) for different services, the hacker, thanks to “bot”, will try to gain a lot of connections to websites. When the authentication gains the success, he can see information associated with accounts.
The CNIL has observed that attackers have always take note about the following information: name, surname, email address and date of birth of client, but also number and total amount of their loyalty card and information about their orders.
Insufficient security measures
The limited training – the competent body of the CNIL that pronounce sanctions – has thought that the two societies have not met the obligation of protect the security of personal data of clients, like in the Article 32 of the GDPR.
Basically, companies have been slow to implement measures in order to fight against those attacks. They decided to focus their strategy in the development of an instrument in order to detect and block the attacks by robots. Anyway, the development of this instrument took one year since the first attack.
Anyway, meanwhile, they could take into account some other measures in order to produce faster effects for fight against attacks or mitigate the negative consequences for people, like:
- limiting the number of requests allowed per IP address on the website, which could have slowed down the speed at which attacks were carried out;
- the appearance of a CAPTCHA from the first attempt to authenticate users to their account, which was very difficult for a robot to circumvent.
As a result of this lack of diligence, the data of approximately 40,000 customers of the website was made accessible to unauthorized third parties between March 2018 and February 2019.
Sanctions pronounced by the limited training.
Consequently, the limited training has issued two different sanctions – 150.000 euros to the data controller and 75.000 euros to data processors – in accordance to the respect responsibility.
In fact, it has underlines that the data controller shall decide to implement measures and give detailed instructions to the data processors. But the data processors shall also try to find technical and originative solutions most appropriate in order to guarantee the security of personal data and offer them to the data controller.
The limited training has not decided to make public those declarations. Anyway, it desires to communicate those decisions in order to alert the experts on the need to reinforce their supervision on credential stuffing attacks and develop, joined with their data processors, sufficient measures in order to guarantee the personal data protection.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL