The French National Commission on Informatics and Liberty (Commission Nationale de l'informatique et des libertés or CNIL) has issued a record fine to an optical center after the company failed to secure the personal (and in some cases highly sensitive) data of its customers.
Optical Center, the actual name of the business, produces eyeglasses, contact lenses and sunglasses in addition to offering medical services. According to a notice by the CNIL, the firm reportedly failed to implement the necessary authentication checks that would prevent one customer from viewing the invoice of another customer.
The CNIL said customers could access more than 300,000 documents containing personal and financial data of other customers on Optical Center’s website by simply modifying the URL in the address bar.
According to the notice, the invoices contained full names, postal addresses, health data (ophthalmic correction) and some social security numbers, leading CNIL to label the blunder as “critical.”
“Given the particular sensitivity of the data that was made freely available, the number of clients impacted and the volume of documents contained in the company's database at the time of the incident (more than 334,000), [CNIL] decided to make its decision public,” the commission wrote.
The firm was fined 250,000 euros, the biggest penalty of its kind in France, according to the commission. The CNIL also reveals in its post that Optical Center was fined 50,000 euros in 2015 “due to a security defect.”
Had Optical Center’s mess up occurred under the EU’s General Data Protection Regulation, the fine would have been a lot greater – up to 4% of the company’s annual revenue, or 20 million euros (whichever highest).
According to some estimates, in situations where a business leaks “personally identifiable information” (PII) of its customers on such a scale, the new regulations set in place by the European Parliament can render businesses bankrupt overnight.