The French data protection authority (CNIL) has imposed an administrative penalty on a payment institution. The company’s actions led to a breach of personal data belonging to more than 12 million people.
SlimPay SA offers recurring payment solutions to its customers. In November 2015, the company launched an internal research project during which it used personal data contained in its databases. The research project ended in July 2016, but the data used in the project was still stored on a server that was not adequately secured, as demonstrated during the audit. The personal data on the server was publicly accessible and could be viewed by outside Internet users. The administrator did not noticed this in February 2020.
The CNIL found that SlimPay SA failed to provide adequate measures to protect personal information that was easily accessible from November 2015 to February 2020. The violations concerned names, addresses, email addresses, telephone numbers, and bank account numbers. In addition, the supervisory authority found that SlimPay SA, as the controller of the personal data, did not enter into appropriate entrustment agreements for processing with service providers that required direct access to the data.
Considering the nature of the personal data breached, the number of persons affected by the breach and the possible negative consequences for these persons (including the risk of phishing or identity theft), the risk associated with the breach had to be considered high. Therefore, the CNIL decided to impose a fine on SlimPay SA in the amount indicated and, taking into account the seriousness of the risk of violation, its severity, also decided to publish its decision.