Optical Center, a French company that specializes in selling eye and hearing aids, has been hit with a €250,000 fine for a data breach that occurred before the introduction of the General Data Protection Regulation (GDPR) on May 25.
CNIL, the French data protection agency, applied the penalty after the firm failed to secure the data of its customers on its corporate website. It was discovered in July 2017 that it was possible to access customers’ invoices with relative ease. These invoices detail personally identifiable information including first and last name, physical address, social security number. In addition to this, there were also other health details such as ophthalmic correction.
There was no authentication process in place for a customer to verify their identity prior to accessing their invoices. This was admitted by Optical Center. Despite rectifying the flaw on the IT systems it was found, by CNIL, that the company did not adhere with article 34 of the French Data Protection Act.
This fine is the largest fine for a data privacy breach ever issued in France. It is also the second time that Optical Center was sanctioned with a penalty for a breach of private data. In 2015 it was also hit with a €50,000 fine for a separate data breach. This previous sanction was taken into account when calculating the extent of the latest violation of data privacy.
CNIL opted to release the details of the breach in question, and the penalty applied, with the decision because of “the particular sensitivity of the data that was made freely available, the number of clients impacted and the volume of documents contained in the company’s database at the time of the incident (more than 334,000).”
The French Data Protection Act, which can implement the highest fine of €3,000,000 for non-compliance with the data protection rules, under GDPR the maximum fine could have been up to €20m or 4% of the company’s annual revenue – whichever figure is higher.