Voyageurs du monde: CNIL Seeks €1.8M Fine After 8,000 Passport Leak
The National Commission on Informatics and Liberty (CNIL) has requested a fine of 1.8 million euros against the travel agency Voyageurs du monde. This penalty follows a cyberattack in May 2023 that exposed 8,000 customer passport copies and several breaches of data protection rules identified during the authority's inspection.
Cyberattack and Multiple Violations Observed
In May 2023, Voyageurs du monde suffered a cyberattack that resulted in the online dissemination of 8,000 copies of its customers' passports. Following this incident, the CNIL conducted checks and noted five breaches of data protection rules. Four of these were corrected by the company following the authority's recommendations.
Dispute Over Customer Data Retention
The breach contested by Voyageurs du monde concerns the duration of customer data retention. The company justifies retaining this information for ten years due to the importance of the return customer rate for its profitability. According to Alain Capestan, the general manager, customers spend an average of 17,000 euros on their unique trips and expect the company to know their profiles during future purchases, even several years after their first trip.
CNIL's Objection to Retention Duration
The CNIL's rapporteur judged that the justifications provided by Voyageurs du monde are not sufficient to maintain a ten-year retention period. She noted that this duration does not correspond to any legal basis for client file data according to the applicable regulatory framework. The final decision of the authority will be issued later.
