France’s data protection authority, the CNIL, has imposed a €1.7 million GDPR fine on software company NEXPUBLICA FRANCE for failing to implement adequate cybersecurity measures. The penalty was announced on 22 December 2025 following an investigation into a data breach linked to the company’s PCRM software, widely used in the social services sector. The regulator said the GDPR fine reflects serious shortcomings in how the company protected sensitive personal data, despite being aware of long-standing security weaknesses before the breach occurred.

Data Breach Exposed Third-Party Documents

The case dates back to November 2022, when users of a Nexpublica online portal reported that they could access documents belonging to other individuals. These documents included personal files that should have been strictly restricted, raising immediate concerns about data security and access controls. Customers of NEXPUBLICA notified the CNIL after discovering that users could view third-party information through the portal. Given the nature of the data involved, the incident posed a high risk to individuals’ privacy and rights, prompting a formal investigation by the regulator.

PCRM Software Used in Sensitive Social Services

NEXPUBLICA FRANCE, formerly known as INETUM SOFTWARE FRANCE, specializes in designing IT systems and software. One of its core products, PCRM, is a user relationship management tool used in social action services. It is notably deployed by Departmental Houses for the Disabled (MDPH) in several French departments. Because PCRM processes highly sensitive personal data, including information that can reveal a person’s disability, the CNIL stressed that a high level of security was required. The GDPR fine reflects the sensitivity of the data exposed and the potential harm caused to affected individuals.

CNIL Finds Serious Security Failures

Following its investigation, the CNIL concluded that the technical and organisational measures implemented to secure PCRM were insufficient. The regulator identified a general weakness in Nexpublica’s information system, along with structural vulnerabilities that had been allowed to persist over time. According to the CNIL, many of these vulnerabilities stemmed from a lack of knowledge of basic cybersecurity principles and current best practices. Several security flaws had already been identified in internal and external audit reports prior to the breach. Despite this, the company failed to correct the issues until after the data breaches were reported. This delay played a key role in the decision to impose the GDPR fine.

Violation of Article 32 of the GDPR

The CNIL ruled that Nexpublica violated Article 32 of the GDPR, which requires organisations to implement security measures appropriate to the level of risk. This includes considering the state of the art, implementation costs, and the risks posed to individuals’ rights and freedoms. The restricted committee, the CNIL body responsible for sanctions, found that Nexpublica did not meet these requirements. The situation was considered more serious because the company operates as an IT systems and software specialist and should have been fully aware of its security obligations.

Why the GDPR Fine Was €1.7 Million

In setting the amount of the GDPR fine, the CNIL considered several factors. These included Nexpublica’s financial capacity, the number of people potentially affected, and the sensitive nature of the data processed through PCRM. The regulator also took into account that the security issues were known internally before the breach and were only addressed afterward. While Nexpublica has since implemented corrective measures, the CNIL said this did not outweigh the severity of the earlier failings. As the necessary fixes have now been applied, the CNIL did not issue a separate compliance order. However, the GDPR fine serves as a clear warning to software providers handling sensitive public-sector data: known security weaknesses must be addressed before, not after, a breach occurs.

Japanese beverage giant Asahi Group Holdings has confirmed new findings in its ongoing investigation into the Asahi Group cyberattack, revealing that personal information linked to around 2 million customers, employees, and external contacts may have been exposed. The update follows a detailed forensic review of the system disruption that struck its domestic servers on September 29. President and Group CEO Atsushi Katsuki addressed the media in Tokyo, offering an apology while outlining the company’s path toward full recovery. Katsuki said Asahi expects to resume automated orders and shipments by December, with full logistics normalization anticipated by February.

Asahi Group Cyberattack Investigation Reveals Scale of Data Exposure

According to the company, the Asahi Group cyberattack involved ransomware, which encrypted files across multiple servers and some company-issued PCs. Asahi confirmed that while systems in Japan were affected, no impact has been identified on overseas operations. A hacker group known as Qilin has claimed responsibility on the dark web, stating it had stolen internal documents and employee data. Asahi, however, reported no evidence that personal data has been published online. Katsuki also clarified that no ransom payment was made. The attack previously forced Asahi to delay its January–September financial results, initially scheduled for November 12.

Timeline and Technical Findings

Asahi’s latest report outlines the internal timeline and technical assessment:

• At 7:00 a.m. JST on September 29, systems began malfunctioning, and encrypted files were soon discovered.
• By 11:00 a.m. JST, the company disconnected its network and isolated the data center to contain the attack.
• Investigators later revealed the attacker gained entry via network equipment at a Group site, deploying ransomware simultaneously across multiple servers.
• Forensic reviews confirmed potential exposure of data stored on both servers and employee PCs.
• The impact remains limited to Japan-managed systems.

As part of regulatory requirements, Asahi submitted its final report to the Personal Information Protection Commission on November 26.

Details of Potentially Exposed Personal Information

As of November 27, the company has identified the following potentially affected groups and data types:

• Customer Service Center contacts from Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods Name, gender, address, phone number, email address — 1,525,000 individuals
• External contacts receiving congratulatory or condolence telegrams Name, address, phone number — 114,000 individuals
• Employees and retirees Name, date of birth, gender, address, phone number, email address, other details — 107,000 individuals
• Family members of employees/retirees Name, date of birth, gender — 168,000 individuals

Asahi confirmed that no credit card information was included in the exposed data sets. The company has set up a dedicated helpline (0120-235-923) for concerned individuals.

System Restoration and Strengthened Cybersecurity Measures

Following the Asahi Group cyberattack, the company spent two months containing the incident, restoring essential systems, and reinforcing security defences. These measures include:

• A full forensic investigation by external cybersecurity experts
• Integrity verification of affected systems and devices
• Gradual restoration of systems confirmed to be secure

Preventive actions now underway include:

• Redesigned network communication routes and stricter connection controls
• Limiting internet-facing connections to secure zones
• Upgraded security monitoring for improved threat detection
• Revised backup strategies and refreshed business continuity plans
• Enhanced security governance through employee training and external audits

In his public statement, Katsuki said, “We apologize for any difficulties caused to our stakeholders by the recent system disruption. We are making every effort to restore systems quickly while strengthening information security across the Group.” He added that product shipments are being restored in phases as recovery progresses. With investigation findings now submitted to regulators and system restoration underway, the company aims to prevent any recurrence while reassuring customers and partners affected by the Asahi Group cyberattack.