Bouygues Telecom has been fined EUR 250,000 by French data protection regulator Cnil for a personal data breach at the operator's B&You brand. Around 2 million customers had their data exposed to a security vulnerability for two years, Cnil found in an investigation.
The regulator was informed in March of the problem and notified shortly thereafter by Bouygues Telecom. After a visit to the operator's offices, Cnil found that a simple change in URL on the Bouygues Telecom website gave unauthorised users access to personal data of B&You customers. The problem was thought to be due to a failure to reactivate the site from a test mode that gave access to client authentication.
The company quickly rectified the problem, but still faces a fine for failure to protect properly its customers' personal data. Cnil said the amount of the fine takes into account the responsiveness of Bouygues Telecom, which took measures to limit the impact on customers. The violations dated from before the application of the EU's General Data Protection Regulation, which allows for much higher fines.
