SlimPay, a Paris-based subscription payment service company, was fined 180,000 euros by the French CNIL regulator because it was found to store sensitive customer data on publicly accessible servers for five years.
The company describes itself as a leader in subscription recurring payments, and provides APIs and processing services to process such payments on behalf of customers Customer Organization, Which includes UNICEF, BP and OVO Energy, to name a few.
However, SlimPay seems to have conducted an internal research project on anti-fraud mechanisms in 2015, for which it used personal data contained in the customer database for testing. Using real data is a great way to ensure that the development code works as expected before real-time deployment, but when you are dealing with sensitive information (such as bank account details), you must be very careful not to violate data protection regulations.
Alas, according to the CNIL (Commission nationale de l’informatique et des libertés), when SlimPay’s research project ended in July 2016, the data was left on a server that was freely accessible from the public Internet without Any safety procedures. To make matters worse, the company apparently didn’t realize this situation until February 2020, when a customer of SlimPay realized the server and notified it.
It is commendable that SlimPay seems to have taken immediate steps to isolate the server and protect the data, and then notified CNIL of the data breach on February 17.
In a subsequent data breach notification, the company disclosed more details about the security incident, including the number of people affected by the data breach and the type of personal data. This includes debtor data from SlimPay merchant customers, equivalent to approximately 12 million people, including their postal, electronic and telephone contact information, and bank information such as Bank Identification Number (BIC) and International Bank Account Number (IBAN).
A subsequent investigation by CNIL found multiple violations in the processing of customer personal data. The Restricted Committee-the CNIL agency responsible for issuing sanctions-concluded that SlimPay had failed to comply with multiple General Data Protection Regulations (GDPR). ) Requirements.
This includes failure to comply with the obligation to provide a formal legal framework for the processing operations performed by the processor (Article 28 GDPR), because some contracts between SlimPay and its service provider do not contain all the clauses that ensure that the processor promises to process personal data in accordance with the GDPR , And failure to ensure the security of personal data (Article 32 of the GDPR).
CNIL also found that SlimPay failed to notify the data subject of the personal data breach (Article 34 GDPR). In view of the nature of personal data (such as bank details) and the potential consequences that the exposure of such data may bring to relevant personnel, CNIL concluded that the risks associated with violations should be considered high and the company should notify All the people affected personally, it did not do so.
According to CNIL, SlimPay defended itself by claiming that none of the affected persons had notified it of any fraudulent use of their personal data, and claimed that audits by third-party companies showed that the data was not used by attackers. This has nothing to do with the supervisory authority. The supervisory authority stated that it has not proved that the harm to the data subject has no effect on the existence of the security defect.
We contacted SlimPay for comments and we will update if we get a response from the company.
Official announcement (in French) available here. ®
