CNIL, the French data protection authority, has decided to impose a 250,000 euro fine on Optical Center, a French company selling eye and hearing aids, because it failed to secure the data of customers that ordered products via its website.
The CNIL was first informed of a “significant data leak” affecting the company’s site (www.optical-center.fr) in July 2017.
After an online check they discovered that, by entering several URLs in a browser’s address bar, it was possible to access customers’ invoices, which contain personal data (first and last name, physical address, social security number) and health data (ophthalmic correction).
The company acknowledged that the website did not verify that customers are connected to the personal “customer area” before displaying their invoices, making it simple for anyone to access invoices of other clients.
Even though the company moved quickly to fix the leak, it fell afoul of article 34 of the French Data Protection Act, which allows a maximum fine of 3 million euros for non-compliance with the data protection rules.
CNIL says that keeping customer data confidential should be a priority for the company, especially because it already had to pay a 50,000 euro fine in 2015 due to a previous security breach.
The 250,000 euro fine is the highest ever imposed in France for a security breach, but all this happened before the General Data Protection Regulation (GDPR) became applicable. The latter mandates even higher fines: up to 4% of the organization’s worldwide annual turnover or 20 million euros (whichever amount is greater).
CNIL also decided to go public with the decision because of “the particular sensitivity of the data that was made freely available, the number of clients impacted and the volume of documents contained in the company’s database at the time of the incident (more than 334,000).”