Uma multa no tamanho da 250,000 euro foi imposta sobre o Centro Óptico, uma empresa francesa especializada na venda de olho e aparelhos auditivos. Pelo visto, a empresa não foi capaz de proteger os dados de seus clientes em seu site, and as a result CNIL (the French data protection authority) tem decided to penalize them.
O que aconteceu? The CNIL became aware of the significant data leak that affected the company’s site – www.optical-center.fr – in July last year. An online check was enough to reveal that it was very easy to access customers’ invoices simply by entering several URLs in the browser.
The invoices typically contained tons of personally identifiable information such as first and last name, endereço físico, número da Segurança Social. Em cima disso, it also contained health details such as ophthalmic correction.
The company admitted that the website didn’t adequately authenticate that customers are connected to the personal customer area prior to disclosing their invoices. This way it was very easy for anyone to access the invoices of other customers – something that could have been exploited in many scenarios.
Not the First Time Optical Center Gets Fined, Either
Optical Center quickly resolved the issue that was leaking customer data. Contudo, it failed to comply with article 34 of the French Data Protection Act. além disso, this is not the first time the company failed to address the privacy standards. Anteriormente it was fined 50,000 euros in 2015 for another security breach.
o 250,000 euro fine is the highest financial penalty ever imposed in France for a similar issue. Contudo, it should be noted that this happened before the GDPR went into effect. With the GDPR, such fines can be much bigger – up to 4% of an organization’s annual turnover or 20 million euros.
Como já escreveu, sob GDPR, organizations must implement data protection principles, bem como medidas técnicas e organizacionais, com o único propósito de proteger a privacidade dos usuários e os direitos dos usuários à privacidade. As organizações sujeitas às regulamentações futuras devem invocar proteções de privacidade abrangentes, entretanto, certificando-se de que os sistemas e procedimentos cumprem estritamente as necessidades de segurança de dados.