Sergic

What happened

The CNIL fined Sergic, a French real estate management company, €400,000 for a security vulnerability that exposed tenants' and rental applicants' personal documents online. The company's website allowed users to upload identity documents, tax returns, bank statements, and other sensitive files as part of rental applications. However, a vulnerability in the system meant that by simply modifying a URL, anyone could access documents uploaded by other users without authentication. The flaw exposed highly sensitive personal data of thousands of individuals. Despite being alerted to the vulnerability, Sergic took several months to fix it. The CNIL also found that the company retained personal data of unsuccessful applicants for excessive periods.

Articles violated

Lessons learned

Web applications handling sensitive documents must implement proper access controls — URL manipulation should never expose other users' data. This type of Insecure Direct Object Reference (IDOR) vulnerability is basic and preventable. Companies must respond immediately when informed of security vulnerabilities. Real estate companies handle highly sensitive documents and must implement security measures proportionate to that sensitivity. Data retention policies must ensure that unsuccessful applicants' data is deleted within a reasonable timeframe.