Very interesting case, that needs some closer analysis.
The fine is about 0.9% of SERGIC’s annual turnover in 2017.
During the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows:
https: //www.crm.sergic .com / documents / upload / eresa / X.pdf
– where by changing X you could access another persons’s file.
SERGIC tries to argue that they shouldn’t have done that, etc.. – to no avail. CNIL observes that exploiting vulnerability does not require any particular technical expertise in computer science. CNIL also consider that the use of a script does not require any advanced skills to exploit this vulnerability.
(Should be good week-end reading.)
https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000038552658