250,000 Euros Fine for French Company that Exposed Customer Data

A fine in the size of 250,000 euro has been imposed on Optical Center, a French company specialized in selling eye and hearing aids. Apparently, the company has failed to secure the data of its customers on its website, and as a result CNIL (the French data protection authority) has decided to penalize them.

What happened? The CNIL became aware of the significant data leak that affected the company’s site – www.optical-center.fr – in July last year. An online check was enough to reveal that it was very easy to access customers’ invoices simply by entering several URLs in the browser.

The invoices typically contained tons of personally identifiable information such as first and last name, physical address, social security number. On top of that, it also contained health details such as ophthalmic correction.

The company admitted that the website didn’t adequately authenticate that customers are connected to the personal customer area prior to disclosing their invoices. This way it was very easy for anyone to access the invoices of other customers – something that could have been exploited in many scenarios.

Not the First Time Optical Center Gets Fined, Either

Optical Center quickly resolved the issue that was leaking customer data. However, it failed to comply with article 34 of the French Data Protection Act. Furthermore, this is not the first time the company failed to address the privacy standards. Previously it was fined 50,000 euros in 2015 for another security breach.

The 250,000 euro fine is the highest financial penalty ever imposed in France for a similar issue. However, it should be noted that this happened before the GDPR went into effect. With the GDPR, such fines can be much bigger – up to 4% of (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: https://sensorstechforum.com/250000-euros-fine-optical-center-breach/