250,000 Euro Fine for French Company that Exposed Customer Data

250,000 Euros Fine for French Company that Exposed Customer Data

A fine in the size of 250,000 euro has been imposed on Optical Center, a French company specialized in selling eye and hearing aids. Apparently, the company has failed to secure the data of its customers on its website, and as a result CNIL (the French data protection authority) has decided to penalize them.

Related Story: MyHeritage DNA Service Exposes 92 Million Account Details

What happened? The CNIL became aware of the significant data leak that affected the company’s site – www.optical-center.fr – in July last year. An online check was enough to reveal that it was very easy to access customers’ invoices simply by entering several URLs in the browser.

The invoices typically contained tons of personally identifiable information such as first and last name, physical address, social security number. On top of that, it also contained health details such as ophthalmic correction.

The company admitted that the website didn’t adequately authenticate that customers are connected to the personal customer area prior to disclosing their invoices. This way it was very easy for anyone to access the invoices of other customers – something that could have been exploited in many scenarios.




Not the First Time Optical Center Gets Fined, Either

Optical Center quickly resolved the issue that was leaking customer data. However, it failed to comply with article 34 of the French Data Protection Act. Furthermore, this is not the first time the company failed to address the privacy standards. Previously it was fined 50,000 euros in 2015 for another security breach.

The 250,000 euro fine is the highest financial penalty ever imposed in France for a similar issue. However, it should be noted that this happened before the GDPR went into effect. With the GDPR, such fines can be much bigger – up to 4% of an organization’s annual turnover or 20 million euros.

Related Story: How Will GDPR Change Privacy in Europe and Globally?

As we already wrote, under GDPR, organizations must implement data protection principles, as well as technical and organizational measures, with the sole purpose to protect users’ privacy and users’ rights to privacy. Organizations subjected to the upcoming regulations must invoke comprehensive privacy protections, meanwhile making sure systems and procedures strictly abide the needs of data security.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...