Hertz France must pay €40 000 fine in new digital law

The fine is the first of its kind in France for this type of data breach, after a new law “for a digital Republic” came into force in November 2016.

Names, addresses, and driving license numbers of 35 357 people were found easily accessible on "www.cartereduction-hertz.com", a website owned by Hertz France, after investigations by the CNIL (The Commission on computing and freedom; La Commission de l'informatique et des libertés).

The breach was traced back to an error by an outside subcontractor, who had been developing the site, and accidentally left it open to access after a change in server. An accidental deletion of a line of code meant that the details were re-published publicly.

The CNIL issued the fine after finding that the company had failed to take all possible measures to safeguard the security of personal details of its users.

“This is the first time that a monetary sanction has been given for a violation in data, under the umbrella of the Law for a Digital Republic came into force in November 2016,” explained the CNIL in a statement to Le Figaro newspaper.

“Before this law, only a warning could have been issued in a case such as this.”