A fine in the size of 250,000 euro has been imposed on Optical Center, a French company specialized in selling eye and hearing aids. Apparently, the company has failed to secure the data of its customers on its website, and as a result CNIL (the French data protection authority) has decided to penalize them.
What happened? The CNIL became aware of the significant data leak that affected the company’s site – www.optical-center.fr – in July last year. An online check was enough to reveal that it was very easy to access customers’ invoices simply by entering several URLs in the browser.
The invoices typically contained tons of personally identifiable information such as first and last name, physical address, social security number. On top of that, it also contained health details such as ophthalmic correction.
The company admitted that the website didn’t adequately authenticate that customers are connected to the personal customer area prior to disclosing their invoices. This way it was very easy for anyone to access the invoices of other customers – something that could have been exploited in many scenarios.
Not the First Time Optical Center Gets Fined, Either
Optical Center quickly resolved the issue that was leaking customer data. However, it failed to comply with article 34 of the French Data Protection Act. Furthermore, this is not the first time the company failed to address the privacy standards. Previously it was fined 50,000 euros in 2015 for another security breach.
The 250,000 euro fine is the highest financial penalty ever imposed in France for a similar issue. However, it should be noted that this happened before the GDPR went into effect. With the GDPR, such fines can be much bigger – up to 4% of an organization’s annual turnover or 20 million euros.
As we already wrote, under GDPR, organizations must implement data protection principles, as well as technical and organizational measures, with the sole purpose to protect users’ privacy and users’ rights to privacy. Organizations subjected to the upcoming regulations must invoke comprehensive privacy protections, meanwhile making sure systems and procedures strictly abide the needs of data security.