And two. After the mobile app Gossip, it is the turn of the e-commerce site Cdiscount.com (18 years ago this week) to be expose in the public square for its many shortcomings in terms of management of personal data, but also security.
For a trader, the confidence of internet users is essential. Gold Cdiscount could see this confidence be shaken after the decision rendered by the Cnil. The authority comes into effect to issue a public warning and to give notice to the site.
4.000 banking data kept
it had been alerted by multiple complaints : 80 for 2015. These complaints were “technical failures that led to the disclosure of data to unauthorized third parties”. Several checks have been made. And the conclusions are not very flattering.
Among the defects, not less than 10 in all, including one who acts as a scarecrow for an e-merchant : a defect in the storage of bank data. Cdiscount maintained more than 4 000 data bank “related to some of the cryptograms, visual, non-secure way”.
Certainly, for a site with 2 million visitors, this error is far from exposing all of its customers. However, it is indicative of other bad practices, in particular in the field of computer security. This failure must also be put in parallel to an other offense noted by the Cnil.
His public warning, Cdiscount must, among other things, to the absence of consent for the conservation of the bank details of the buyers. Through the option payment “flash”, the website saves by default these data.
Ironically, the site for sale on the Internet is also reminded to the order to have systems in place to fight fraud bank, but without having obtained a permission from the Cnil.
Consent Of oversights multiple
Other failure to fulfil obligations vis-à-vis the law, and no doubt also in respect of its own customers, the record in its database of comments as “non-relevant” about them (see image below).
These same customers, during the account creation in the prospect of a purchase, are not informed of the processing of their personal data. However, data, the website collects fine, and keeps “for an excessive amount of time”, in particular through the use of cookies installed on the terminal of the user for 30 years.
Without even having made a purchase, a visitor inherits from 50 cookies, some of which have a purpose of advertising, and this without the collection of a valid consent. For three of these cookies, the company responds even ignore their purpose.
“It appears that the site has not informed in a manner satisfactory to the persons concerned and has not implemented any mechanism valid opposition” judge the Cnil. And Cdiscount does not by its practices to ensure the security and confidentiality of the data of these users. He is accused of accepting the creation of password with only 5 characters, including very low as well as “12345″.
In total, the controls of the Cnil have discovered 10 breaches. “Because of the amount of the deficiencies identified (…) and the potential volume of people concerned,” the authority has therefore decided to make public the formal notice of Cdiscount. A bad publicity perspective and without doubt not the gift, expected to celebrate its 18 years of existence. The site now has three months to rectify the situation.
No comments:
Post a Comment