On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

Background

Between June 2018 and January 2020, the CNIL received several dozen personal data breach notifications concerning a website from which several million customers regularly make purchases online. The CNIL decided to investigate not only the company responsible for the data processing activities through the website (i.e., the data controller) but also the service provider operating the website on behalf of that company (i.e., as data processor). During its investigations, the CNIL found that the site in question has been a victim of numerous credential stuffing attacks. Credential stuffing occurs when a malicious person uses lists of login credentials found on the dark web following data breaches. Considering that website users often use the same password and username (their email address) on different online services, the attacker attempts multiple login requests across various sites by using robots. In the event of a successful login, the attacker can then review account information. In the case at hand, the CNIL found that the attackers could access the following account information: first and last name, email address, date of birth, loyalty card number and balance and details of orders placed on the site. In total, approximately 40,000 customer accounts were made accessible to unauthorized third parties between March 2018 and February 2019.

The CNIL’s Decisions

The CNIL’s committee in charge of imposing sanctions (the “Restricted Committee”) found that the data controller and the data processor failed to protect the security of the customers’ personal data, as required by Article 32 of the EU General Data Protection Regulation (the “GDPR”). In the Restricted Committee’s view, both companies waited too long to implement measures to effectively fight against repeated credential stuffing attacks. The companies had decided to develop a tool to detect and block attacks launched by robots. However, this tool was not developed until one year after the first attacks. In the meantime, several other measures that would have created more immediate benefits could have been envisioned by the companies in order to prevent new attacks or mitigate negative consequences for impacted customers, such as (1) limiting the number of requests authorized per IP address on the website and (2) using a CAPTCHA when users first attempt to log into their accounts.

The CNIL’s Restricted Committee decided to impose a fine on both the data controller and the data processor. In doing so, the CNIL’s Restricted Committee emphasized that the data controller must decide to implement appropriate security measures and must provide documented instructions to its data processor. However, the data processor also must identify the most appropriate technical and organizational solutions to ensure data security and must propose those solutions to the data controller.