The CNIL has just issued a financial penalty of € 250,000 to Bouygues Telecom for failing to secure the personal data of users of its site. In total, nearly 2 million customers are potentially affected by this security breach.
The old 4G Box
Due to a report issued in March 2018, the Commission Nationale Informatique et Libertés (CNIL) looked into the case of Bouygues Telecom, and more particularly on the website of the operator. After checking, it turned out that the site in question had a security breach allowing access to personal data of customers.
A simple URL change
The flaw was discovered on the page to display the contract of a customer. The URL "https://www.bouyguestelecom.fr/archived/index/printcontract/archived_id/X", where X represents an integer, made it possible to go from contract to contract by simply changing the variable X. In total, these are 2,176,236 customers whose data were thus accessible. Bouygues Telecom states that it is only B & You customers, and that Bouygues Telecom customers and pro customers are not affected by this lack of security.
This vulnerability stems from the merger of the Bouygues Telecom and B & You brands in 2015. A specific database for former B & You customers was then kept to allow these customers to access their contracts and invoices. It is this base that has been corrupted.
In order to perform tests during database merging, the authentication verification was disabled in the code of the page and was not reactivated during the final posting. A fix was quickly implemented and the URL mentioned earlier now returns an error message for unauthenticated access.
250,000 euros of sanction
After proceedings that took place until last November 15, considering that Bouygues Telecom had breached its obligation to ensure the security of the personal data of the users of its site, the CNIL has therefore pronounced a financial penalty of 250 000 euros to against society.
The operator has two months to file an appeal before the Council of State. FrAndroid contacted Bouygues Telecom to find out if this was the intention of the group and are currently waiting for an answer.
Read on FrAndroid: Orange, Bouygues, SFR and Free: which operator has the best mobile network?