MOBIUS SOLUTIONS LTD Fined €1 Million for GDPR Violations in DEEZER Data Breach
On 11 December 2025, France’s data protection authority, the CNIL, imposed a €1 million fine on MOBIUS SOLUTIONS LTD, the processor behind a 2022 data breach affecting DEEZER users. The penalty stems from multiple GDPR violations, including unlawful data retention, unauthorized use of personal data, and failure to maintain processing records.
Key Details of the Breach
In November 2022, DEEZER reported that 46 million users’ data had been exposed on the dark web, tracing the incident to MOBIUS SOLUTIONS LTD, its former processor for personalized advertising campaigns. Investigations conducted by the CNIL in 2023 and 2024 revealed three major compliance failures:
-
Unlawful Data Retention (Article 28.3.g GDPR)
MOBIUS SOLUTIONS LTD retained a copy of DEEZER’s user data after contract termination, despite its obligation to delete it. While the company claimed the data was copied by employees without authorization, the CNIL held it accountable, as the information was stored on a non-production environment alongside other clients’ data, creating security risks. -
Unauthorized Data Use (Article 29 GDPR)
The company copied and used DEEZER’s data without explicit instructions to improve its own advertising platform. MOBIUS SOLUTIONS LTD argued this was within contractual scope, but the CNIL ruled that no clause permitted such use without the controller’s approval. -
Failure to Maintain Processing Records (Article 30 GDPR)
As a processor, MOBIUS SOLUTIONS LTD was required to document its data processing activities but did not comply, violating GDPR transparency obligations.
Jurisdiction & Fine Justification
Though MOBIUS SOLUTIONS LTD is not EU-based, the CNIL asserted jurisdiction under GDPR’s behavioral monitoring provisions, as the company processed DEEZER’s user data for targeted advertising. The €1 million fine reflects the severity of the breaches, the scale of affected individuals (46M+ users), and the company’s financial capacity.
The CNIL’s decision was made public, underscoring the enforcement of GDPR compliance for third-party processors, even those operating outside the EU.
Source: https://www.cnil.fr/en/data-breach-mobius-solutions-ltd-fined-eu1-million
Mobius Solutions Ltd cybersecurity rating report: https://www.rankiteo.com/company/mobius-solutions-ltd
"id": "MOB1766181598",
"linkid": "mobius-solutions-ltd",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '46,000,000',
'industry': 'Music Streaming',
'location': 'France',
'name': 'DEEZER',
'type': 'Data Controller'},
{'industry': 'Advertising Technology',
'name': 'MOBIUS SOLUTIONS LTD',
'type': 'Data Processor'}],
'data_breach': {'data_exfiltration': 'Yes (posted on dark web)',
'number_of_records_exposed': '46,000,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Personally identifiable information '
'(PII)',
'type_of_data_compromised': 'User data (unspecified)'},
'date_detected': '2022-11',
'date_publicly_disclosed': '2025-12-19',
'description': 'On 11 December 2025, the CNIL imposed a fine on MOBIUS '
'SOLUTIONS LTD, the processor behind a data breach affecting '
'users of DEEZER. The company was fined €1 million for failing '
'to comply with the applicable rules regarding subcontracting, '
'including unlawful retention of data, unauthorized use of '
'data, and failure to maintain a record of processing '
'activities.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Yes',
'financial_loss': '€1,000,000 (fine)',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Yes'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'investigation_status': 'Completed (CNIL investigation concluded in 2025)',
'lessons_learned': 'Processors must strictly adhere to GDPR obligations, '
'including data deletion at the end of contractual '
'relationships, compliance with controller instructions, '
'and maintenance of processing records. Unauthorized data '
'retention and misuse can lead to significant fines and '
'reputational damage.',
'motivation': 'Unauthorized data retention and misuse',
'post_incident_analysis': {'corrective_actions': ['Implement automated data '
'deletion processes at the '
'end of contracts.',
'Enforce strict access '
'controls and employee '
'training on GDPR '
'compliance.',
'Develop and maintain a '
'record of processing '
'activities.'],
'root_causes': ['Failure to delete data at the end '
'of the contractual relationship '
'with DEEZER.',
'Unauthorized copying and use of '
"DEEZER's data by employees for "
'internal purposes.',
'Lack of a record of processing '
'activities as required by GDPR.']},
'recommendations': ['Ensure all data is deleted at the end of contractual '
'relationships with data controllers.',
'Obtain explicit instructions from data controllers '
'before using their data for any purpose.',
'Maintain an up-to-date record of processing activities '
'as required by GDPR Article 30.',
'Implement strict access controls and monitoring to '
'prevent unauthorized data copying or misuse by '
'employees.',
'Regularly audit data storage environments to ensure '
'compliance with GDPR and contractual obligations.'],
'references': [{'date_accessed': '2025-12-19', 'source': 'CNIL'}],
'regulatory_compliance': {'fines_imposed': '€1,000,000',
'legal_actions': 'CNIL sanction',
'regulations_violated': ['GDPR Article 28.3.g',
'GDPR Article 29',
'GDPR Article 30'],
'regulatory_notifications': 'Yes (CNIL notified by '
'DEEZER in November '
'2022)'},
'stakeholder_advisories': 'CNIL decision made public to highlight GDPR '
'compliance risks for processors.',
'title': 'MOBIUS SOLUTIONS LTD fined €1 million for GDPR violations related '
'to DEEZER data breach',
'type': 'Data Breach'}