The Cnil imposes a fine of 300,000 euros on the operator Free for multiple breaches of the GDPR. Among the shortcomings: an overly lax password management policy.
Free’s turn to get caught by the National Commission for Computing and Liberties (Cnil) for breaches of the General Data Protection Regulations (GDPR). In a press release published on December 8, the French authority in charge of ensuring compliance with the legislation on the processing of personal information pinned the operator.
Notable weaknesses in password management
Four major offenses were identified, including one related to the obligation to ensure the security of personal data. In particular, the administrative body noted an insufficient policy concerning passwords, with procedures that are no longer suitable in 2022. All of these violations resulted in a financial penalty of 300,000 euros in fines.
In detail, the CNIL noted that:
- The password generated when creating a new account on the Internet service provider’s site was ” insufficiently robust » ;
- This same weakness was noted during a recovery procedure or during a renewal of the password;
- All passwords generated when creating an account from the site ” was stored in the clear in the company’s subscriber database » ;
- The newly created passwords were neither temporary nor subject to an obligation to change them;
- These passwords were transmitted in plain text by e-mail or by post;
- The password that was associated with the “free.fr” email account was sent by the company by email or post to the user and indicated in clear text in the body of the message;
In the deliberation of the Cnil, it is noted that Free ” announced that it had taken several measures to comply with the obligations […] regarding password security “. This includes strengthening the robustness of the codes generated and mandatory renewal during a recovery procedure or from the first connection.
In addition, the storage of passwords in the clear in its database has ended, as has the transmission of new subscribers’ passwords in clear by email. Welcome and necessary changes to get back into the nails of the GDPR, but which do not absolve the operator of these past mistakes. The Cnil took this into account in its sanction.
The sanction is moderate given the possibilities of fines allowed by the GDPR and in view of the size of a group like Free. In addition to the fine of 300,000 euros, and the public denunciation of the group, the CNIL gives the ISP three months to bring itself into compliance on all other points. Otherwise, it will be subject to a penalty of 500 euros per day of delay.
