SlimPay fined €180k after 12 million customers' bank data publicly accessible for 5 years

Updated SlimPay, a Paris-based subscription payment services company, has been fined €180,000 by the French CNIL regulatory body after it was found to have held sensitive customer data on a publicly accessible server for five years.

The firm describes itself as a leader in recurring payments for subscriptions, and provides an API and processing service to take care of such payments on behalf of client organisations, which include Unicef, BP, and OVO Energy, to name but a few.

However, it appears that in 2015 SlimPay undertook an internal research project into an anti-fraud mechanism, for which it used personal data contained in its customer databases for testing purposes. Using real data is a good way to ensure that development code is working as expected before live deployment, but when you are dealing with sensitive information such as bank account details, great care must be taken not to fall foul of data protection regulations.

Alas, according to CNIL (Commission nationale de l'informatique et des libertés), when SlimPay's research project ended in July 2016, the data was left in place on a server that was freely accessible from the public internet without any security procedures in place. Worse still, the company was apparently unaware of this situation until February 2020, when one of SlimPay's customers became aware of the server and tipped it off.

To its credit, SlimPay appears to have taken immediate action to isolate the server and secure the data, after which it notified CNIL of the data breach, on February 17.

In a later data breach notification, the firm disclosed more details on the security incident, including the number of people and the type of personal data affected by the data breach. This comprised debtor data from SlimPay merchant clients corresponding to approximately 12 million people, consisting of their postal, electronic, and telephone contact details, and banking information such as Bank Identifier Code (BIC) and International Bank Account Number (IBAN).

• Police National Computer not pwned by Clop ransomware crims, insists Home Office
• Pen Test Partners: Anyone could view Gumtree users' GPS location by pressing F12
• UK data watchdog fines government office for disclosing New Year's gong list
• Singaporean regulator punishes biggest-ever data breach: Almost 5.9 million hotel customers' info exposed

A subsequent investigation carried out by CNIL found multiple breaches concerning the processing of personal data of customers, and the restricted committee – the CNIL body responsible for issuing sanctions – concluded that SlimPay had failed to comply with several General Data Protection Regulation (GDPR) requirements.

These included failure to comply with the obligation to provide a formal legal framework for the processing operations carried out by a processor (Article 28 of GDPR) as some contracts between SlimPay and its service providers do not contain all the clauses to ensure the processors commit themselves to processing personal data in compliance with GDPR, as well as failure to ensure the security of personal data (Article 32 of GDPR).

CNIL also found that SlimPay had failed to inform data subjects of a personal data breach (Article 34 of GDPR). Given the nature of the personal data (such as bank details), and the potential consequences for those concerned of this data being exposed, CNIL concluded that the risk associated with the breach should be considered high and that the company should have informed all the affected individuals, which it did not do.

According to CNIL, SlimPay defended itself by claiming none of the people affected had informed it of any fraudulent use of their personal data and claimed an audit by a third-party firm showed the data had not been exploited by an attacker. This cut no ice with the regulatory body, which stated that the absence of proven harm to data subjects has no effect on the existence of the security deficiency.

We contacted SlimPay for comment, and will update if we get a response from the company.

The official announcement (in French) is available here. ®

Updated to add at 0930 UTC, 6 January 2022:

SlimPay has been in touch since the publication of this article to say:

"In 2015, within the framework of its regulatory obligations in respect of the fight against fraud, money laundering and financing of terrorism, SlimPay opened a server dedicated to research and separate from the production environment. The research activities on this server were completed in 2016.

"At the beginning of 2020, SlimPay discovered a security flaw on this server, which we corrected immediately, thereby closing this isolated incident. Note that the data on the server was encrypted and difficult to visualize. As required by law, we swiftly notified the CNIL (the French Data Protection Authority) and the merchants affected by the incident."

It also added that a "dark web investigation was carried out in August 2021 by a third party commissioned by SlimPay" that "did not reveal any data leaks."

It added: "Regardless of this incident, we are committed to implementing measures which meet the expectations of the GDPR, and have been doing so since its enforcement began in 2018."

"Please note as well that in 2021, we acquired a level 1 PCI DSS (Payment Card Industry Data Security Standard) certification, the highest level, in terms of banking details."