Optical Center, a French company that sells eye and hearing aids is facing a €250,000 ($294,533.75) fine because it failed to secure the data of customers that ordered products via its website.
CNIL, the French data protection authority, was first informed of a “significant data leak” affecting the company’s site July last year.
After an online check, they discovered by entering several URLs in a browser’s address bar, it was possible to access customers’ invoices, which contain personal data (first and last name, physical address, social security number) and health data (ophthalmic correction).
The company said the website did not verify customers are connected to the personal “customer area” before displaying their invoices, making it simple for anyone to access invoices of other clients.
Even though the company moved quickly to fix the leak, it violated article 34 of the French Data Protection Act, which allows a maximum fine of €3 million for non-compliance with the data protection rules.
CNIL said keeping customer data confidential should be a priority for the company, especially because it already had to pay a €50,000 fine in 2015 due to a previous security breach.
The €250,000 fine is the highest ever imposed in France for a security breach. Since it all occurred before General Data Protection Regulation (GDPR) became applicable, the fines could have been higher by up to 4 percent of the organization’s worldwide annual revenues or €20 million, whichever amount is greater.
The number of clients impacted and the volume of documents contained in the company’s database at the time of the incident was over 334,000, officials said.