France's data protection authority, the CNIL, has fined the real estate company Sergic 400,000 euros for violations of the EU General Data Protection Regulation. A complaint received by the CNIL last August alleged users could access documents from other individuals on the site by modifying a URL. The documents contained individuals' identity cards, tax notices, account statements and other information. An investigation conducted by the DPA found Sergic was aware of the vulnerability since March 2018. The DPA discovered Sergic did not implement any form of user authentication for those who could access the documents, which factored into the decision to penalize the company. (Original article is in French.)
If you want to comment on this post, you need to login.