The Spanish Data Protection Agency (AEPD) has sanctioned Carrefour for GDPR violations after suffering five security breaches in 2023 which affected almost 120.000 clients. The breaches occurred in January and April of that same year.
Cybercriminals accessed customer accounts using previously leaked usernames and passwords. This allowed data such as name to be extracted, Surnames, email, phone, ID, postal address, date of birth and even data related to savings programs. According to Carrefour, in less than 1.000 there were cases of access to sensitive information, although the AEPD rejects this distinction, since it considers that any unauthorized access poses a significant risk.
After the fifth attack, Carrefour implemented two-factor authentication (2FA), but only in October 2023, after the breaches. In addition, their systems allowed massive queries from multiple IPs without alerts, and they did not communicate properly to all those affected.
The total fine includes sanctions for violating the integrity and confidentiality of data, for lacking adequate security measures, and for not properly communicating the breaches, amounting to up to 3,2 millions of euros. This case adds to recent sanctions imposed on Iberdrola or Mercadona of 6 and 2,5 millions of euros, respectively, highlighting the urgency of implementing and maintaining proactive cybersecurity measures in large companies.
Fountain: Engadget
Image Bordeaux, CC BY-SA 3.0, via Wikimedia Commons
