Nexpublica France Fined for Inadequate Security After Data Breach
France’s data protection authority, CNIL, imposed a €1.7 million ($2 million) fine on the software company Nexpublica France following a data breach that exposed sensitive documents of third parties through a company portal. The breach, reported in November 2022, allowed users to access documents belonging to other individuals, prompting an investigation by CNIL, which found that Nexpublica’s data security program was insufficient and failed to meet basic security standards.
The regulator cited several aggravating factors in determining the fine, including Nexpublica’s lack of awareness of fundamental security principles, the number of people affected, the sensitivity of the exposed data, and the company’s financial capacity. CNIL also noted that Nexpublica was aware of the security issues prior to the breach but did not take corrective action until after the incident, constituting a violation of the General Data Protection Regulation (GDPR).
Sources
Related Stories
CNIL Fines Iliad Subsidiaries Free and Free Mobile for Security Failures Behind 2024 Data Breach
France’s data protection regulator **CNIL** issued a collective **€42 million** fine against Iliad Group subsidiaries **Free** and **Free Mobile** for **GDPR** violations tied to an October 2024 breach that exposed personal data for more than **24 million** individuals, including sensitive financial identifiers such as **IBANs**. CNIL cited the scale and sensitivity of the compromised data, as well as the companies’ profits, in setting penalties of **€27 million** for Free and **€15 million** for Free Mobile. Regulators said the intrusion was enabled by inadequate security controls, including a **weak VPN authentication process** and insufficient monitoring to detect anomalous activity. Reporting indicates the attacker accessed Free’s network via the corporate **VPN**, then reached Free Mobile’s subscriber management tool **MOBO**, which at the time allowed searches across both Free and Free Mobile customer datasets; exfiltration reportedly began in early October 2024 after initial access in late September. CNIL also faulted the companies for **insufficient breach communications** to impacted customers and for **improper data retention** (including retaining former subscribers’ data), while noting remediation steps have been initiated and further security improvements were ordered.
2 months ago
CNIL Fines France Travail €5 Million After Social-Engineering Breach Exposed Job Seeker Data
France’s data protection authority **CNIL** fined public employment agency **France Travail** €5 million for failing to implement security measures appropriate to the risk (citing **GDPR Article 32**) after attackers accessed job-seeker data via **social engineering**. Investigators said the attackers compromised accounts used by staff at **Cap emploi** (a partner organization), and that existing safeguards did not sufficiently reduce the risk of unauthorized access through compromised accounts. The intrusion enabled access to personal data associated with roughly **43 million** people, including current registrants, former registrants going back about **20 years**, and individuals with candidate profiles on `francetravail.fr`. Exposed data included **social security/national insurance numbers**, names and dates of birth, and contact details (email, postal address, phone); reporting noted the breach did **not** include bank details or account passwords and did not provide complete job-seeker files. CNIL ordered France Travail to provide evidence and a schedule of corrective actions, backed by a conditional **€5,000/day** penalty for non-compliance.
1 months agoUK Fines LastPass for Major Data Breach Impacting 1.6 Million Users
The UK Information Commissioner's Office (ICO) has fined LastPass £1.2 million ($1.6 million) following a significant data breach in 2022 that compromised the personal information of up to 1.6 million UK users. The breach occurred in two stages: initially, an attacker compromised a company developer's work-issued laptop, exfiltrating source code and technical documentation, including unencrypted and encrypted credentials. This access was later leveraged to target a senior engineer's personal laptop, allowing the attacker to obtain credentials and keys used to access and decrypt storage volumes within LastPass's cloud-based storage service. The ICO determined that LastPass failed to implement sufficiently robust technical and security measures to protect customer data, leading to the substantial penalty. Although the attackers obtained encrypted versions of sensitive data, including website names and passwords, the ICO noted there was no evidence that customer passwords were decrypted, as these are stored locally on user devices. However, security experts have raised concerns about the potential for brute-force attacks on the stolen vaults, with reports linking the breach to cryptocurrency thefts. The ICO emphasized the importance of strong security practices for password management services and urged all UK businesses to take steps to protect customer data in light of this incident.
3 months ago