France’s data protection authority, the CNIL, has imposed a €1.7 million GDPR fine on software company NEXPUBLICA FRANCE for failing to implement adequate cybersecurity measures. The penalty was announced on 22 December 2025 following an investigation into a data breach linked to the company’s PCRM software, widely used in the social services sector. The regulator said the GDPR fine reflects serious shortcomings in how the company protected sensitive personal data, despite being aware of long-standing security weaknesses before the breach occurred.

Data Breach Exposed Third-Party Documents

The case dates back to November 2022, when users of a Nexpublica online portal reported that they could access documents belonging to other individuals. These documents included personal files that should have been strictly restricted, raising immediate concerns about data security and access controls. Customers of NEXPUBLICA notified the CNIL after discovering that users could view third-party information through the portal. Given the nature of the data involved, the incident posed a high risk to individuals’ privacy and rights, prompting a formal investigation by the regulator.

PCRM Software Used in Sensitive Social Services

NEXPUBLICA FRANCE, formerly known as INETUM SOFTWARE FRANCE, specializes in designing IT systems and software. One of its core products, PCRM, is a user relationship management tool used in social action services. It is notably deployed by Departmental Houses for the Disabled (MDPH) in several French departments. Because PCRM processes highly sensitive personal data, including information that can reveal a person’s disability, the CNIL stressed that a high level of security was required. The GDPR fine reflects the sensitivity of the data exposed and the potential harm caused to affected individuals.

CNIL Finds Serious Security Failures

Following its investigation, the CNIL concluded that the technical and organisational measures implemented to secure PCRM were insufficient. The regulator identified a general weakness in Nexpublica’s information system, along with structural vulnerabilities that had been allowed to persist over time. According to the CNIL, many of these vulnerabilities stemmed from a lack of knowledge of basic cybersecurity principles and current best practices. Several security flaws had already been identified in internal and external audit reports prior to the breach. Despite this, the company failed to correct the issues until after the data breaches were reported. This delay played a key role in the decision to impose the GDPR fine.

Violation of Article 32 of the GDPR

The CNIL ruled that Nexpublica violated Article 32 of the GDPR, which requires organisations to implement security measures appropriate to the level of risk. This includes considering the state of the art, implementation costs, and the risks posed to individuals’ rights and freedoms. The restricted committee, the CNIL body responsible for sanctions, found that Nexpublica did not meet these requirements. The situation was considered more serious because the company operates as an IT systems and software specialist and should have been fully aware of its security obligations.

Why the GDPR Fine Was €1.7 Million

In setting the amount of the GDPR fine, the CNIL considered several factors. These included Nexpublica’s financial capacity, the number of people potentially affected, and the sensitive nature of the data processed through PCRM. The regulator also took into account that the security issues were known internally before the breach and were only addressed afterward. While Nexpublica has since implemented corrective measures, the CNIL said this did not outweigh the severity of the earlier failings. As the necessary fixes have now been applied, the CNIL did not issue a separate compliance order. However, the GDPR fine serves as a clear warning to software providers handling sensitive public-sector data: known security weaknesses must be addressed before, not after, a breach occurs.

FTC action takes center stage as the U.S. Federal Trade Commission has announced strong enforcement steps against education technology (Edtech) provider Illuminate Education, following a major data breach that exposed the personal information of more than 10 million students across the United States. The agency said the company failed to implement reasonable security measures despite promising schools and parents that student information was protected.

Why the Agency Intervened

FTC complaint outlines a series of allegations against the Wisconsin-based company, which provides cloud-based software tools for schools. According to the complaint, Illuminate Education claimed it used industry-standard practices to safeguard student information but failed to put in place basic security controls. The Illuminate Education data breach incident dates back to December 2021 when a hacker accessed the company’s cloud databases using login credentials belonging to a former employee who had left the company more than three years earlier. This lapse allowed unauthorized access to data belonging to 10.1 million students, including email addresses, home addresses, dates of birth, academic records, and sensitive health information. FTC officials said the company ignored warnings as early as January 2020, when a third-party vendor alerted them to several vulnerabilities in their systems. The data security failures included weak access controls, gaps in threat detection, and a lack of proper vulnerability monitoring and patch management. The agency also noted that student data was stored in plain text until at least January 2022, increasing the severity of the breach.

FTC Action: Requirements Under the Proposed Order

As part of the proposed settlement, the FTC will require Illuminate Education to adopt a comprehensive information security program and follow stricter privacy obligations. The proposed FTC order includes several mandatory steps:

• Deleting any personal information that is no longer required for service delivery.
• Following a transparent, publicly available data retention schedule that explains why data is collected and when it will be deleted.
• Implementing a detailed information security program to protect the confidentiality and integrity of personal information.
• Notifying the FTC when the company reports a data breach to any federal, state, or local authority.

The order also prohibits the company from misrepresenting its data security practices or delaying breach notifications to school districts and families. The FTC said Illuminate had waited nearly two years before informing some districts about the breach, impacting more than 380,000 students. The Commission has voted unanimously to advance the complaint and proposed order for public comment. It will be published in the Federal Register, where stakeholders can share feedback for 30 days before the FTC decides whether to finalize the consent order.

FTC Action and State-Level Enforcement

Alongside the federal enforcement, the state data breach settlement adds another layer of accountability. Attorneys General from California, Connecticut, and New York recently announced a $5.1 million settlement with Illuminate Education for failing to adequately protect student data during the same 2021 cyber incident. California will receive $3.25 million in civil penalties, and the settlement includes strict requirements designed to improve the company’s cybersecurity safeguards. With more than 434,000 California students affected, this marks one of the largest enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA). State officials emphasized that educational technology companies must prioritize the security of children’s data, which often includes highly sensitive information like medical details and learning records.