Story image

Optics firm hit with biggest data breach fine in French history

13 Jun 2018

France Commission Nationale de l'Informatique et des Libertés (CNIL) has fined a French optics firm €250,000 for failing to protect 334,000 customers’ data – the biggest fine ever dealt to a French company.

In July 2017 Optical Center’s website had a major security hole that allowed the CNIL to access hundreds of customer invoices by typing a selection of URLs straight into a browser’s address bar – and without authorisation.

CNIL was able to access customer information including names, addresses, dates of birth, health data regarding ophthalmic correction, and in some cases, NIR numbers.

“The delegation also noted that it was possible, from the optical-center.fr domain and without prior authentication to the customer area, to export in CSV format, a sample of 2085 files,” according to documents filed onThe Journal officiel de la République française.

But that wasn’t all – on subsequent inspections, CNIL found that invoices and order forms corresponding to website orders were freely available.

By August 9 2017, Optical Center had fixed the security holes.

CNIL declared that Optical Center had breach Article 34 of Informatique et Libertés and fined the firm accordingly.

The Optical Center argued that the fine was disproportionate, according to the document on The Journal officiel de la République française.

“It recalls that it did not derive any benefit from the infringement, which is in any event of relative gravity and of limited character. The company states that the breach was unintentional and that no damage appears to have been suffered by the persons concerned. In that regard, it states that it was not possible to access the customer area or to modify the invoices of the persons concerned and, secondly, to find no trace of exploitation of said data, which have also not been indexed by the search engines.”

“The company recalls that it was extremely responsive by immediately informing its provider of the data breach, which promptly proceeded to the establishment of a fix. It also recalls having cooperated with the CNIL throughout the procedure.”

This is not the first time Optical Center has been breached – in 2015 the company was fined €50,000.

Web security company High-Tech Bridge CEO Ilia Kolochenko says it’s a sad case but also good news and a strong message that firms cannot ignore cybersecurity.

"Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.”  "I think GDPR would likely impose a less severe punishment for a first incident (since GDPR enforcement). However, for repetitive ignorance and ensued data breaches, GDPR has much more freedom to impose harsh financial penalties. One should also keep in mind that victims can make civil claims for damages suffered as a result of the breach, skyrocketing the total cost of incident.”

The CNIL says that in light of the leak, internet users need to be aware of risks to their online data, which is why it made the decision public.

Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.