On December 27, 2018, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €250,000 on French telecom operator Bouygues Telecom for failing to protect the personal data of the customers of its mobile package B&YOU.

Background

On March 2, 2018, the CNIL was informed – by a third party – of the existence of a years-long security vulnerability on Bouygues Telecom’s website bouyguestelecom.fr, the end result of which made possible for any person, including bad actors, to access documents containing customers’ personal data from several URL addresses with a similar structure. On March 6, 2018, Bouygues Telecom notified the CNIL of the data breach. The company explained that the incident was due to a human mistake: the computer code, which requires user authentication on the company’s website, had been deactivated during a test phase but not re-activated once the tests were completed. The company quickly blocked the data from improper access.

The CNIL’s Decision

The CNIL noted that the breach affected more than two million customers, and included personal data, such as the customer’s first and last name, date of birth, e-mail address, address and mobile telephone number. The CNIL further noted that the breach lasted for more than two years. The CNIL recognized that human mistake was at the root of the incident, and that the company could not completely guard against such mistakes. The CNIL found, however, that for more than two years the company failed to implement appropriate security measures that would have enabled it to discover the breach, and concluded that the company failed to comply with its obligation to protect its customers’ personal data. As the GDPR was not applicable at the time of the data breach, the CNIL decided to impose a fine of €250,000 on Bouygues Telecom.