A security breach on the company’s website allowed access to client contract and invoice data simply by entering a URL address, without any requirement for user authentication. As a result, user data was freely available for a period of over two years.
Bouygues informed the CNIL that the breach had resulted from human error, when the code enabling user authentication was not reactivated following tests during the merging of two client databases.
In its decision of 26 December 2018, the CNIL found that Bouygues had breached Article 34 of the French Computing and Freedoms Act, obliging data controllers to take “all useful precautions” to preserve the security of personal data.
The CNIL stated that it took into account the fact that Bouygues had reacted quickly to repair the security failure after its discovery. Nevertheless, it found that a serious breach had occurred, given the large number of individuals impacted and the “particularly long” period during which the data in was freely accessible.
It should be noted that the facts in the case occurred prior to the entry into application of the GDPR, which significantly increased the financial penalties available to European data protection authorities.