Some companies have persisted in recent years in storing their users’ passwords in the clear. The Cnil has just sentenced Free to a fine of €300,000 in a deliberation made public on Thursday, December 8, 2022. The National Commission for Computing and Freedoms observed several serious breaches of the GDPR during checks within the company.
No encryption procedure
The subsidiary of the Iliad group has not complied with its obligations regarding the security of personal data. All the passwords generated by the creation of a user account on the Free website ended up being stored in clear text in a database. No encryption was used to keep customer data a little secure. This lack of vigilance could have led, in the event of a data leak, to a real disaster. The Cnil had pinned EDF on November 29 for similar breaches.
At the same time, the generated passwords “when creating a user account on the company’s website, during a recovery procedure or during a renewal” were low. In other words, the complexity of the password was not high enough. A failure that facilitates brute force attacks. The identifiers were transmitted by email or post, also in plain text, just like the password “associated with the free.fr email account.“Dangerous communication, especially since Free did not impose a maximum temporality in the use of passwords or an obligation to change them.
Badly reset Freeboxes
Free is also accused by the Cnil of having botched the “technical and organizational measures of the reconditioning process” of approximately 4100 Freebox boxes. When reassigning telecom equipment, the company did not systematically reset the devices. Data such as “photos, personal videos or recordings of television programs“could still be present when the box arrives with a new customer. A violation of the personal data of certain users which has not been documented by Free.
The operator is also targeted by breaches of the obligation to respect the rights of access and erasure. Free would not have responded in time or would have provided incomplete responses to several people, after requests for access to personal data. Similarly, the erasure of the information of several complainants would not have been carried out within the deadlines.
In total, the CNIL identifies four breaches of the GDPR, the European general data protection regulation. The operator has complied with the security of the personal data of its subscribers. On the other hand, respect for the right of access is subject to a “compliance injunction“. An operation that requires Free to justify its actions in this area”within a period of three months from the notification of the deliberation“, failing which the operator will be inflicted with a “penalty of €500 per day of delay.”
In a press release relayed by The world, Free says he regrets the Cnil’s decision. This last “sanctions past facts, which occurred during the first months of the entry into force of the general data protection regulation (2018-2019)“. And to ensure: “The measures necessary to bring the company into compliance have been taken since the events.“The operator is currently analyzing”the follow-up to be given to this decision, regretting that the Cnil sanctioned a period during which it declared that it preferred support to sanction.