In early June, the French Data Protection Authority (CNIL) fined Sergic €400,000 for IT security breaches and illegal storage of personal data, particularly that of prospective tenants.
The French property management company has a web platform where potential future tenants can upload the documents required to compile a file (pay slips, employment contracts, tax notices, identity documents, etc.).
However, a security breach allowed tenants to view the files of competing applicants.
In August 2018, the CNIL conducted a test. It successfully downloaded, remotely, more than 4,000 files from a directory containing more than 290,000 files.
A seasoned cybercriminal could have carried out such a cyberattack and obtained this information. The Commission strongly regrets that Sergic took more than six months to fix this vulnerability.
This is why the CNIL imposed such sanctions and fines on Sergic. It accuses the family business of failing to adequately secure and protect its website and its customers' data.
It should be noted that on its website, the CNIL describes the illegal storage of personal data.
