Unknown – €150,000 Fine (France, 2021)

The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company's website. Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website. In the course of its investigations, the CNIL found that the website in question had been subjected to numerous waves of credential stuffing attacks. In this type of attack, a malicious person obtains lists of 'unencrypted' identifiers and passwords published on the Internet, usually after a data breach. Assuming that users frequently use the same password and username (email address) for different services, the attacker will use 'bots' to try to log in to a large number of websites. If the authentication is successful, this will allow the attacker to see the information associated with those accounts. The CNIL found that the attackers were able to obtain the following information: Surname, first name, email address and date of birth of customers, as well as their loyalty card number and balance, and information related to their orders. The CNIL considers that the two companies had breached their obligation to maintain the security of customers' personal data under Article 32 of the GDR. In fact, the companies took slow action to effectively combat these repeated attacks. They had decided to focus their response strategy on developing a tool to detect and block attacks launched by robots. However, the development of this tool took a year from the first attacks. In the meantime, however, a number of other measures with faster impact could have been considered to prevent further attacks or mitigate the negative impact on individuals. As a result of this lack of diligence, the data of approxi