The French data protection authority ('CNIL') announced, on 27 January 2021, its decision to fine a data processor €75,000 for their failure to implement adequate measures to deal with credential stuffing attacks on their data controller's website. In particular, CNIL noted that its investigation of the data controller's website had indicated that it had suffered numerous credential stuffing attacks involving stolen account credentials, such as email addresses, and their subsequent use by attackers to access account information, related to customer orders and loyalty card balances. Further to this, CNIL found that the data controller and processor had failed to take adequate measures to ensu
News
France: CNIL fines data processor €75,000 for inadequate measures to deal with credential stuffing attacks
January 27, 2021
Summary
The CNIL fined a data processor €75,000 for not implementing sufficient measures to prevent credential stuffing attacks on their data controller's website, which led to unauthorized access to customer account information. The CNIL's investigation revealed multiple attacks using stolen credentials, and the data processor's delay in creating a detection and blocking tool, as well as their failure to employ CAPTCHA or limit requests per IP address. This negligence violated Article 32 of the GDPR, which mandates adequate security of personal data.