SlimPay fined €180k after 12 million customers’ bank data publicly accessible for 5 years

From theregister.com

SlimPay, a Paris-based subscription payment services company, has been fined €180,000 by the French CNIL regulatory body after it was found to have held sensitive customer data on a publicly accessible server for five years.

The firm describes itself as a leader in recurring payments for subscriptions, and provides an API and processing service to take care of such payments on behalf of client organisations, which include Unicef, BP, and OVO Energy, to name but a few.

However, it appears that in 2015 SlimPay undertook an internal research project into an anti-fraud mechanism, for which it used personal data contained in its customer databases for testing purposes. Using real data is a good way to ensure that development code is working as expected before live deployment, but when you are dealing with sensitive information such as bank account details, great care must be taken not to fall foul of data protection regulations.

Read more…