For Dedalus, the bill is salty. More than a year after the case of the health data leak that affected 500,000 French citizens, the CNIL has just published a notice informing that it had imposed a fine of 1.5 million euros on the company Dedalus, a software publisher specializing in the development of software for medical laboratories.
This publisher had already been singled out on several occasions for its involvement in the case, several media having thus indicated that the common point between the various laboratories affected by the data leak seemed to be their use of Dedalus solutions. A few months before the leak, NextInpact magazine had already pinpointed the security flaws identified by a former Dedalus employee, and which the publisher was slow to correct.
The CNIL’s deliberation offers more precision on the origin of the leak in question: following its various checks, the Commission explains that a first data leak of lesser magnitude had been observed in November 2020 by Anssi agents, and reported to the software publisher. After the discovery in February 2021 of the file containing the data of 500,000 French citizens, an internal investigation led by the company Dedalus was commissioned. This “established a correspondence between the data in the file transmitted by Anssi and the data present on an FTP server hosted on the MEGABUS remote maintenance server” – Megabus being the name of a solution marketed by a subsidiary of Dedalus.
Flaws at all levels
The CNIL report thus underlines the absence of security measures put in place on this FTP server used by Dedalus to orchestrate the migrations of its customers’ data: the server was freely accessible from the Internet, without authentication, until the month of November 2020. Following the first report from Anssi, authentication controls were added to protect access to data, but the CNIL reports that “the private area of the server was accessible with user accounts shared between several employees. However, the use of shared accounts poses a disproportionate, yet easily avoidable, risk to the security of the processing and considerably increases the risk of compromise”.
In addition to this lack of authentication, the CNIL indicates “that no procedure for monitoring and raising security alerts was implemented on the FTP server. Connections from suspicious IP addresses were therefore neither detected nor processed”. And the list noted by the CNIL is long. It includes in particular “the absence of encryption, the absence of automatic deletion of data after their migration, the absence of authentication required from the Internet to access the public zone of the server and the use of shared user accounts”. These are all breaches of the obligation to ensure the security of personal data which justify the sanction imposed today by the Commission.
In addition, the Commission also noted other points contrary to the GDPR during its checks carried out within Dedalus: it thus indicates that it found that Dedalus had “extracted a larger volume of data than that required” in the context of the software migration to another tool requested by two laboratories, and finally that the general conditions of sale and the maintenance contracts did not comply with the GDPR.