The CNIL has issued a public warning to the telecommunications provider Orange over security and confidentiality breaches. In April 2014, Orange notified the CNIL that a software platform used to send promotional messages on behalf of Orange was hacked, resulting in the theft of the personal data of 1.3 million users. A CNIL investigation found that Orange had not adequately audited the platform (an audit would have revealed potential security risks), had not applied security measures  to emails sent to users and had failed to require its service provider processors to pass security obligations on to sub-contractors. The CNIL chose the sanction of a warning and, unusually, made the warning public on the basis that Orange was a large company with the scale of financial and human resources that should have allowed security issues to have been more adequately managed.

CNIL article – 25 August 2014