Story image

Optics firm hit with biggest data breach fine in French history

13 Jun 2018

France Commission Nationale de l'Informatique et des Libertés (CNIL) has fined a French optics firm €250,000 for failing to protect 334,000 customers’ data – the biggest fine ever dealt to a French company.

In July 2017 Optical Center’s website had a major security hole that allowed the CNIL to access hundreds of customer invoices by typing a selection of URLs straight into a browser’s address bar – and without authorisation.

CNIL was able to access customer information including names, addresses, dates of birth, health data regarding ophthalmic correction, and in some cases, NIR numbers.

“The delegation also noted that it was possible, from the optical-center.fr domain and without prior authentication to the customer area, to export in CSV format, a sample of 2085 files,” according to documents filed onThe Journal officiel de la République française.

But that wasn’t all – on subsequent inspections, CNIL found that invoices and order forms corresponding to website orders were freely available.

By August 9 2017, Optical Center had fixed the security holes.

CNIL declared that Optical Center had breach Article 34 of Informatique et Libertés and fined the firm accordingly.

The Optical Center argued that the fine was disproportionate, according to the document on The Journal officiel de la République française.

“It recalls that it did not derive any benefit from the infringement, which is in any event of relative gravity and of limited character. The company states that the breach was unintentional and that no damage appears to have been suffered by the persons concerned. In that regard, it states that it was not possible to access the customer area or to modify the invoices of the persons concerned and, secondly, to find no trace of exploitation of said data, which have also not been indexed by the search engines.”

“The company recalls that it was extremely responsive by immediately informing its provider of the data breach, which promptly proceeded to the establishment of a fix. It also recalls having cooperated with the CNIL throughout the procedure.”

This is not the first time Optical Center has been breached – in 2015 the company was fined €50,000.

Web security company High-Tech Bridge CEO Ilia Kolochenko says it’s a sad case but also good news and a strong message that firms cannot ignore cybersecurity.

"Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.”  "I think GDPR would likely impose a less severe punishment for a first incident (since GDPR enforcement). However, for repetitive ignorance and ensued data breaches, GDPR has much more freedom to impose harsh financial penalties. One should also keep in mind that victims can make civil claims for damages suffered as a result of the breach, skyrocketing the total cost of incident.”

The CNIL says that in light of the leak, internet users need to be aware of risks to their online data, which is why it made the decision public.

Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.