French Regulator Fines Nexpublica €1.7 Million for Major Data Security Failures
In November 2022, users of Nexpublica’s portal discovered they could access sensitive third-party documents, prompting an investigation by France’s data protection authority, CNIL. The regulator determined that the software company’s security measures were severely inadequate, failing to meet basic cybersecurity standards.
On December 22, CNIL imposed a €1.7 million ($2 million) fine on Nexpublica France, citing the company’s financial capacity, its lack of fundamental security knowledge, the number of affected individuals, and the sensitivity of the exposed data. The breach underscored systemic vulnerabilities in Nexpublica’s data protection practices, raising concerns over the handling of confidential information.
The incident highlights the growing scrutiny of cybersecurity lapses by European regulators, particularly under GDPR, where non-compliance can result in significant financial penalties. Nexpublica’s case serves as a notable example of enforcement actions targeting companies that fail to implement essential safeguards.
Nexpublica cybersecurity rating report: https://www.rankiteo.com/company/nexpublica
"id": "NEX1767101592",
"linkid": "nexpublica",
"type": "Breach",
"date": "12/2022",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': True,
'industry': 'Technology',
'location': 'France',
'name': 'Nexpublica France',
'type': 'Software Company'}],
'data_breach': {'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Third-party documents, sensitive '
'data'},
'date_detected': '2022-11',
'date_publicly_disclosed': '2022-12-22',
'description': 'In November 2022, users of a Nexpublica portal reported they '
'could access documents about third parties. France’s data '
'regulator (CNIL) investigated the incident and found that '
'Nexpublica’s data security program was inadequate. CNIL '
'levied a fine of €1.7 million ($2 million) based on the '
'company’s financial capacity, lack of knowledge of basic '
'security principles, the number of people affected, and the '
'sensitivity of the data processed.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'financial_loss': '€1.7 million ($2 million)',
'identity_theft_risk': True,
'legal_liabilities': True,
'systems_affected': 'Nexpublica portal'},
'investigation_status': 'Completed',
'lessons_learned': 'Lack of basic security principles can lead to significant '
'financial and reputational damage.',
'post_incident_analysis': {'root_causes': 'Inadequate data security program, '
'lack of basic security principles'},
'recommendations': 'Implement robust data security programs, adhere to '
'regulatory requirements, and ensure proper access '
'controls.',
'references': [{'date_accessed': '2025',
'source': 'DataBreaches.net',
'url': 'https://databreaches.net'}],
'regulatory_compliance': {'fines_imposed': '€1.7 million ($2 million)',
'regulations_violated': 'French data protection '
'regulations (CNIL)',
'regulatory_notifications': True},
'title': 'Nexpublica Data Breach Due to Poor Cybersecurity Practices',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadequate data security program'}