Facts: Notification sent to the CNIL, which carries out an online check and warns the ADEF of a personal data breach (modification of the path of the URL displayed in the browser allowed access to documents registered by other applicants: taxi notices, passports, identity cards, residence permits, pay slips, CAF payment certificates, NIR, IBAN, etc. housing applicants who have made a registration process on the website of the association) and asks him to fix it. A few days later, the CNIL notes that, although the ADEF asked the company that developed its website to intervene, the data is still accessible.
Obligation of security and confidentiality of the personal data: basic measures upstream of the development of the site could have avoided the violation: to set up a device allowing to avoid the predictability of the URL and the procedure of authentication of the users of the web site.
Sanction: it would certainly have been higher if the ZDEF had not cooperated with the CNIL.
Publication of the decision: in view of the gravity of the situation related to the open access and the volume of documents (42652) and having in mind the intimate and complete nature of the data concerned.