France’s data protection regulator has fined the software company Nexpublica France €1.7 million ($2 million) for poor cybersecurity practices in the wake of a data breach.

In November 2022, users of a Nexpublica portal reported they could access documents about third parties. France’s data regulator, known as CNIL, investigated the incident and found that Nexpublica’s data security program was inadequate, according to an agency press release.

On December 22, CNIL levied the fine, which it said is based on the company’s “financial capacity, its lack of knowledge of basic security principles, the number of people affected and the sensitivity of the data processed.” 

Nexpublica’s poor security practices violated Europe’s General Data Protection Regulation, CNIL said.

The security problems were known to the company before the breach, but it did not address them until after the incident, the agency added.