In July 2016, the CNIL was informed of the existence of a violation of personal data on the site www.ouicar.fr , a platform for renting vehicles between individuals
The CNIL then carried out two control missions in July and August 2016: the first on-line and the second on the premises of the company. It found that the data of all the users of the site were accessible via la saisie dans la barre du navigateur de deux URL (« Uniform Ressource Local ») correspondant à des interfaces de programmation applicatives (API).
The CNIL thus found that it was possible to access the data of all the users of the site, that is to say their name, first name, address, telephone number, date of birth, license number Driving and location data of the vehicle proposed for rental by simply modifying in the URL the variable corresponding to the identifier of each user. This data breach involved several hundred thousand people.
Having been informed of the first CNIL inspection, the company immediately took measures to end the data breach.
The investigations carried out on the spot made it possible to determine that this incident had lasted nearly three years and was linked to a basic safety fault. In particular, the company should have implemented an authentication process to restrict access to the data to authorized persons only. This would have prevented any Internet user from having access to it.
Consequently, the President of the CNIL has appointed a rapporteur to initiate a sanction procedure.
The CNIL’s restricted formation issued a warning to the company that it had failed to fulfill its obligation to take all necessary measures to safeguard the security of the personal data of users of the site in accordance with Article 34 Of the law Informatique et Libertés . The facts that took place before the entry into force of the law for a digital Republic of October 7, 2016 , only a warning was incurred by the company. Henceforth, a pecuniary sanction could be imposed in a similar case.