Story image

Optics firm hit with biggest data breach fine in French history

13 Jun 2018

France Commission Nationale de l'Informatique et des Libertés (CNIL) has fined a French optics firm €250,000 for failing to protect 334,000 customers’ data – the biggest fine ever dealt to a French company.

In July 2017 Optical Center’s website had a major security hole that allowed the CNIL to access hundreds of customer invoices by typing a selection of URLs straight into a browser’s address bar – and without authorisation.

CNIL was able to access customer information including names, addresses, dates of birth, health data regarding ophthalmic correction, and in some cases, NIR numbers.

“The delegation also noted that it was possible, from the optical-center.fr domain and without prior authentication to the customer area, to export in CSV format, a sample of 2085 files,” according to documents filed onThe Journal officiel de la République française.

But that wasn’t all – on subsequent inspections, CNIL found that invoices and order forms corresponding to website orders were freely available.

By August 9 2017, Optical Center had fixed the security holes.

CNIL declared that Optical Center had breach Article 34 of Informatique et Libertés and fined the firm accordingly.

The Optical Center argued that the fine was disproportionate, according to the document on The Journal officiel de la République française.

“It recalls that it did not derive any benefit from the infringement, which is in any event of relative gravity and of limited character. The company states that the breach was unintentional and that no damage appears to have been suffered by the persons concerned. In that regard, it states that it was not possible to access the customer area or to modify the invoices of the persons concerned and, secondly, to find no trace of exploitation of said data, which have also not been indexed by the search engines.”

“The company recalls that it was extremely responsive by immediately informing its provider of the data breach, which promptly proceeded to the establishment of a fix. It also recalls having cooperated with the CNIL throughout the procedure.”

This is not the first time Optical Center has been breached – in 2015 the company was fined €50,000.

Web security company High-Tech Bridge CEO Ilia Kolochenko says it’s a sad case but also good news and a strong message that firms cannot ignore cybersecurity.

"Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.” 

"I think GDPR would likely impose a less severe punishment for a first incident (since GDPR enforcement). However, for repetitive ignorance and ensued data breaches, GDPR has much more freedom to impose harsh financial penalties. One should also keep in mind that victims can make civil claims for damages suffered as a result of the breach, skyrocketing the total cost of incident.”

The CNIL says that in light of the leak, internet users need to be aware of risks to their online data, which is why it made the decision public.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
Facebook fights fake news ahead of Africa elections
“We also show related articles from fact-checkers for more context and notify users if a story they have shared is rated as false.”
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.