CNIL Publishes Guidance to Boost Security of Large Databases

The information that entities provided to CNIL in their notifications or that the agency obtained via checks showed violations were due to opportunistic attacks, which often have similar procedures made possible by recurrent safety defects, CNIL said.

These include usurpation of legitimate user logins and IDs, failure to detect intrusions before datasets are put up for sale or other exploration, and use of subcontractors within the definition of the General Data Protection Regulation (GDPR), whose security measures were insufficient.

Organizations that deal with very large amounts of personal data must implement enhanced security measures, the watchdog said. Its guide to personal data security lays out the basic safety precautions, but the recent violations show that some basic measures must be strengthened to prevent security risks from large databases, it said. These include "customer" databases and customer relationship management software.

CNIL's guidance called for several key measures to secure large databases. Among other things, it recommended that access to information systems be secured via multifactor authentication. Organizations should stream, analyze and set limits on data flows through the information system, and consider human beings as security actors who should be given regular awareness-raising tailored to their user profiles (such as collaborators, managers and developers).

The guidance also recommends monitoring data security with subcontractors.

CNIL said it plans to boost its actions to improve the security of personal data starting this year and had made cybersecurity one of the top priorities of its 2025-2028 strategic action plan.