The largest French telephone and internet services company, Orange, was recently warned by the French data protection authority (CNIL) for a security lapse that led to a breach involving 1.3 million users. In April, Orange notified CNIL as to a breach that occurred in March, during which an unknown third party exploited the security at an e-mail marketing services provider in order to obtain the personal data on customers and prospects by vacuuming approximately 700 files that contained sensitive information which included: names, DOB, e-mail addresses as well as telephone numbers. Despite Orange’s claims that it addressed the problem, CNIL’s inspections of the company as well as its subcontractors found that Orange: (i) failed to audit data security at its e-mail marketing services provider; and (ii) failed to include data security and confidentially clauses it its contract with the provider. CNIL furthermore found that the operator had sent updates to customer data files to the provider via unsecured e-mails. This has been the second breach for the Company this year; as we reported earlier this year, in February, the company announced that 3% of its customers had their personal information stolen. Orange has until the end of October to appeal the warning before the French Administrative Supreme Court.
Tip: This case is a reminder that data breaches are issues on the minds not only of US regulators, but those around the world. If you are an internet supplier or a mobile operator operating in France, keep in mind the breach reporting obligations to CNIL. With these in mind, companies are well served to ensure appropriate protections both internally and by vendors. In the event that a security breach does occur, please note the short timing involved to report such breaches.