Forgetting a test server can cost you money. Slimpay was thus fined 180,000 euros for leaving personal data belonging to 12 million people on an unsecured server accessible via the Internet. The CNIL therefore chose to sanction the company and publish the reasons for the sanction on its site: the commission indicates that the server, commissioned for an r & d project in 2015 lasting one year, has remained accessible. until 2020.
This clumsiness exposed the data of 12 million users, including personal data (civil status data, physical and e-mail addresses and telephone numbers) but also banking information, namely BIC identifiers and IBAN of the persons concerned. A major error for a company specializing in payment management: the CNIL therefore considers that “the risk associated with the violation should be considered high” and that the company should therefore have individually informed the users affected by the exposure of the data, as required by law. Slimpay defends itself by explaining that the data has probably not been used fraudulently by third parties, but the CNIL recalls in its opinion that “the absence of proven prejudice for the persons concerned has no impact on the existence of the security defect. “
Article 32 of the GDPR specifies that companies are required to secure the personal data they process at “a level of security appropriate to the risk.” “Otherwise, they are liable to a sanction from the data protection authority in the event of an audit. The CNIL also noted breaches related to certain contractual provisions of Slimpay’s services. The CNIL thus noted that the contracts offered by Slimpay to its service providers did not contain clauses aimed at ensuring that the subcontractors complied with the provisions of the GDPR. A legal oversight which obviously does not help the company’s file, and which pushes the CNIL to sanction the company in a public manner.