Privacy Advisor

FRANCE—First public warning for security breach in banking sector

September 1, 2012

By Pascale Gelly, CIPP/E

On June 21, the French Data Protection Authority (the CNIL) issued a public "blame" against  the affiliate of a financial services group, operating as the group's IT service provider, for making available to all employees of the group documents about some of the bank's customers and their transactions. The documents were posted on shared folders and included information covered by bank secrecy, such as bank account details, credit card numbers, income and tax information. Access was made possible over a period of two years.
The CNIL qualified the IT provider's behavior as one of "unforgivable lightness." However, since the breach had been cured immediately, the CNIL could not order financial sanctions, but then it decided to use its new power since March 2011 of making its warning decision public.

As it happened, the group had opted to install the e-mail system of all its affiliates, including a newspaper and a bank on the same IT infrastructure. The group IT service provider failed to deactivate the shared folders function which is "on" by default. As a result, any user of this function posting a document in the shared folders made them potentially available to 84,895 other individuals.
Journalists working for the newspaper affiliate, who by profession have a different approach to information than bankers, got access to some of these documents and unveiled the situation.

Contrary to what the company argued, the CNIL considered that the blame can't be put on the journalists and that it can't be put on the e-mail provider either as it belonged to the IT company to parameter the software to the contemplated use in order to ensure that unauthorized users don't get access by default to shared folders. The demonstration of preventive security measures implemented by the company did not convince the authority either, as in the end, the company failed to ensure the security of personal data.

Shared infrastructures can bring their share of surprises, especially in a large group with diverse activities. As the story shows, good administration of the active directory is key to security.

Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at