usatoday24
The Spanish Data Agency (AEPD) has imposed A fine of 3.2 million euros to Carrefour for alleged infractions of several articles of the RGPD. The surprising thing is not that, but the fact that these infractions were due not to a single cyber attack, but five … exactly the same.
Security gaps. Carrefour notified to The AEPD up to five personal data security violations, all related to illegitimate access to customer accounts. The gaps occurred on January 13, January 20, January 24, April 18 and April 21, 2023. All with the same technique.
Credential Stuffing. Everything indicates that these security gaps occurred when taking advantage of credential criminals (name, password) of Legitimate Employees of Carrefour who ended up filtering and managed to be obtained by the attackers, probably through Previous massive data robberies.
Stolen data. Among the affected data They were name, surname, email, telephone number, DNI, physical address or customer passport number, in addition to information related to their interests, purchase trends and commercial preferences.
Thousands of affected. The number of affected according to the AEPD was 118,895 unique accounts that the attacker could obtain personal information. According to Carrefour, the real affectation was much lower: the one that impacted the people’s integrity It was only 234 cases and the confidentiality of its data 973 cases.
Several serious infractions. Carrefour recognized his responsibility for the alleged violation of article 34 of the GDPR (communication of the gaps to the affected people) but initially did not consider it “mandatory.” In addition, the AEPD concluded that Carrefour violated the principle of integrity and confidentiality (Article 5.1.F of the RFPD) by allowing illegitimate access to third parties of personal data.
And lack of diligence. According to those responsible for AEPD, Carrefour did not have implanted the technical measures necessary to guarantee a level of safety appropriate to risk, but also accused it of lack of diligence. In Carrefour they ended up implementing the double authentication optionbut only since October 2023, when five security gaps had already been used.
The fine, broken down. The total fine is 3.2 million euros, but it is actually composed of three concepts:
- Violation of the principle of integrity and confidentiality (very serious): two million euros
- Infringement of data processing (serious): one million euros
- Infringement for communication to interested parties (mild): 200,000 euros.
Do not protect customer data is expensive. Iberdrola received an even greater than 6.5 million euros last year after being the victim of a cyber attack that Exposed the data of 850,000 clients. Before, in July 2021, the AEPD I fined 2.5 million euros to Mercadona For a violation of the privacy of the users: in this case, for a pilot of facial recognition that carried out months before and that laid a precedent for this type of systems.
With this data, a threat: identity supplaments. Whenever customer data is stolen, there is a clear threat: that they are used to supplant the identity of those customers. With these data it is possible to configure custom and directed scams, much more credible and dangerous for the victims. The other immediate risk is that cybercounts use these credentials to try to steal accounts in all types of services, hence the importance of Do not use the same password on different platforms.
Image | Xataka
In Xataka | We visited the National CNI cryptological center: here is the epicenter of Spanish cybersecurity
GIPHY App Key not set. Please check settings