SlimPay fined €180k after having 12 million customers' data publicly accessible for five years
Reading Time: 2 minutes

SlimPay, a Paris-based subscription payment service company was fined €180k after having 12 million customers’ data on a publicly accessible server for five years.

SlimPay claims to be a leader when it comes to recurring payments for subscriptions and provides API and processing services. The company has some reputed companies on its client lists such as Unicef, BP, and OVO Energy, to name but a few.

The problem seems to have occurred in 2015 when SlimPay used personal data contained in its customer databases for testing purposes while carrying out an internal research project into an anti-fraud mechanism. It is always a good thing to use real data as it ensures the development codes derive the expected results. Though dealing with such sensitive information can prove to be dangerous as the sensitive information can be used by bad actors. Utmost care must be taken not to neglect any data protection regulations.

According to CNIL (Commission nationale de l’informatique et des libertés), after SlimPay completed its research project in July 2016, the sample data used was left on a server. It was freely accessible from the public internet without any security procedures in place. Further shocking was it was not until February 2020, that one of SlimPay’s customers discovered the details on the server and informed them about it.

SlimPay responded promptly to the tip-off, by isolating the server and securing the data. Later it notified CNIL of the data breach, on February 17.

SlimPay in a data breach notification mentioned the number of people and the type of data affected by the data breach. The data breach affected debtor data from SlimPay merchant clients corresponding to approximately 12 million people. The data compromised included their postal, electronic, and telephone contact details and banking information such as Bank Identifier Code (BIC) and International Bank Account Number (IBAN).

CNIL in its investigation found more breaches concerning the processing of personal data of customers, and the restricted committee. Leading to the CNIL body responsible for issuing sanctions and reaching a conclusion that SlimPay had failed to comply with several General Data Protection Regulation (GDPR) requirements.

SlimPay defended itself saying none of the people affected by the data breach informed them about any fraudulent use of their personal data. It claimed an audit by a third-party firm showed the data had not been exploited by an attacker.

Though the regulatory body made it clear the absence of proven harm to data subjects has no effect on the existence of the security deficiency. It was confirmed the risk associated with the breach was high and the company should have informed all the affected individuals, which it failed to do.

Related Articles:
Apple’s iOS Mobile Operating System is Vulnerable to New HomeKit ‘doorLock’ Bug
Fake Telegram Messenger App Hacking PCs with Purple Fox Malware
Don’t Store your Password in Chrome As Hackers can target Remote Workers