Security News > 2022 > January > SlimPay fined €180k after 12 million customers' bank data publicly accessible for 5 years

Using real data is a good way to ensure that development code is working as expected before live deployment, but when you are dealing with sensitive information such as bank account details, great care must be taken not to fall foul of data protection regulations.

In a later data breach notification, the firm disclosed more details on the security incident, including the number of people and the type of personal data affected by the data breach.

This comprised debtor data from SlimPay merchant clients corresponding to approximately 12 million people, consisting of their postal, electronic, and telephone contact details, and banking information such as Bank Identifier Code and International Bank Account Number.

A subsequent investigation carried out by CNIL found multiple breaches concerning the processing of personal data of customers, and the restricted committee - the CNIL body responsible for issuing sanctions - concluded that SlimPay had failed to comply with several General Data Protection Regulation requirements.

These included failure to comply with the obligation to provide a formal legal framework for the processing operations carried out by a processor as some contracts between SlimPay and its service providers do not contain all the clauses to ensure the processors commit themselves to processing personal data in compliance with GDPR, as well as failure to ensure the security of personal data.

According to CNIL, SlimPay defended itself by claiming none of the people affected had informed it of any fraudulent use of their personal data and claimed an audit by a third-party firm showed the data had not been exploited by an attacker.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/04/slimpay_breach_fine/