In Europe, a region where regulation matters, poor cybersecurity practices can result in significant fines. France’s data protection regulator has levied a fine of €1.7 million ($2 million) on the software company Nexpublica.
CNIL, the French data protection regulator, stated that Nexpublica failed to implement sufficient security measures for its PCRM software, a user relationship management tool used in the social services sector.
This happened in November 2022 when users of a Nexpublica portal informed CNIL that they could access documents concerning third parties.
The regulator investigated the incident and soon found that the firm’s data security protocol was inadequate. In other words, the data processed through the PCRM software wasn’t sufficiently secured.
In a press release, CNIL said the size of the fine is based on Nexpublica’s “financial capacity, its lack of knowledge of basic security principles, the number of people affected, and the sensitivity of the data processed.”
The vulnerabilities identified in the PCRM were moreover known and identified by Nexpublica through several audit reports. But they were only fixed after the data breach.
“These circumstances are aggravated because of the activity of the company, which is specialized in IT systems and software consulting,” said CNIL.
The agency must surely be busy during the festive period because various French state institutions have been facing a surge of cyberattacks.
In mid-December, the French Ministry of the Interior confirmed to Cybernews it had suffered a cyber hit after attackers claimed they accessed its systems and data – some of it personal – on 16.4 million French citizens.
Authorities soon arrested a 22-year-old hacker linked to the data breach. The attack seems to be part of a revenge hacking campaign on the French government, even though attackers also claim they’re sort of threat researchers who were “compelled” to act because the security of the systems was allegedly “deplorable.”
Right before Christmas, France’s postal service was also knocked down after a suspected DDoS attack. It additionally paralyzed La Poste’s banking services. However, customer data wasn’t compromised.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked