Video platform fined for data breach involving 82.5 million email addresses
CNIL imposes €50,000 fine on Dailymotion
Cyber attackers gained access to user’s personal information on French video platform Dailymotion via an administrator’s account. The administrator password, used to access the personal database was not stored in hash form. Also, partners were given remote access without proper authorisation measures in place. The company was only alerted to the breach when the story appeared in an online news article.
Consequently, France’s National Commission for Computing and Freedom (CNIL) has fined Dailymotion €50,000 for failing to secure customers’ personal data.
According to online news published by Le Monde back in December 2016, Dailymotion duly reported the attack, in which user IDs and passwords were hacked. Fortunately this incident did not involve the loss of any other personal data.
The video platform estimated that 82.5 million email addresses and 18.3 million passwords had been lost. However, none of Dailymotion’s users have reported any damage resulting from the hack, more than one year after it occurred.
Why was the video platform fined? ~The Facts
- The firm did not realise a data breach had occurred, until it was reported in the news
- No controls were in place to alert on low band-width downloads
- Administrator passwords were not kept in hash form
- Partners of the company were allowed remote access to add and remove content
- The platform had not implemented measures to confirm authorisation for remote access
- Basic security measures had not been implemented.
– e.g. complex password policy, IP address filtering, or a Virtual Private Network (VPN) to prevent unauthorised connections to the company’s network.
Article 34 of the French Data Protection Act requires that:
The data controller shall take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorised third parties.
Originally, the CNIL was planning to fine Dailymotion up to €500,000, before reducing the amount to just €100,000, after the video platform provided a full explanation. The fine was then reduced by a further 50% after no complaints were made, and full cooperation of Dailymotion during the investigation.
The substantially reduced financial penalty imposed by the CNIL also took into account that the compromised data was encrypted.
Editor’s comment: It’s rare to see a video platform fined, or anyone being fined a relatively small sum for a major breach. In this particular case the CNIL evidently had its reasons for making such a substantial reduction in the final penalty imposed. However, it would be unwise to think that non-compliance in a business, whatever its size, will be always be treated with the same degree of leniency.
Has your firm taken all possible measures to prevent a data breach?
The GDPR Guys offer expert advice on global GDPR issues. Contact us
Source: CNIL order (in French)