CNIL issues public warning to Orange France

France’s Data Protection Authority, the CNIL, has sanctioned the mobile telephone company, Orange France, for a data security breach. A public warning, issued on 25 August, follows a security breach which jeopardised personal data of more than one million customers. Information stolen in a cyber attack included customers' names, email address, mobile and landline phone numbers and dates of birth.

Back in April, Orange notified the CNIL of the breach of personal data related to a technical failure by one of its providers. All publicly available EU electronic communications services are obliged to report data breaches to the regulator.

In May, the CNIL carried out an inspection on Orange and its subcontractors, XL Marketing and Gutenberg Networks, working on its promotional email campaigns. The CNIL found gaps in data security, and initiated the enforcement proceedings. According to the CNIL, the company claimed to have taken all necessary measures to fulfil its data security obligations, but had not conducted a sufficient security audit before using a a certain technical solution for sending email campaigns.

The CNIL has a fining power of a maximum of 150,000 Euros, and where similar previous offences have been committed, up to 300,000 Euros. It can also issue an injunction to stop processing. In this case, after giving details of the breach and Orange’s defence of its position, and giving the company a month to comment on it draft decision, the DPA issued a public warning. The CNIL considers that Orange should have had sufficient financial and human resources to manage these problems.

See the press release and detailed decision.