Cyber Incident Victim: Alain Afflelou
Date:
Nov 2025
Location:
France
Summary
The optical retailer Alain Afflelou disclosed a cybersecurity incident resulting from a vulnerability in a third‑party system that granted unauthorized access to its customer relationship management platform. Exposed data included names, birth dates, postal and email addresses, phone numbers, purchase history, quotes, mutuelle name, last appointment date, associated brand, and parental status, while banking details, social security numbers, vision or hearing correction data, and passwords were not compromised. The company stated it has implemented remedial actions, has no evidence of fraudulent use so far, and that an investigation is underway with a notification filed to the French data protection authority; the number of affected customers has not been disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Alain Afflelou announced that it had experienced a cybersecurity incident in an email sent to its customers, which was later obtained by the tech news outlet Tech&Co. The company stated that the incident resulted from a vulnerability in the system used by one of its service providers, allowing unauthorized access to its customer relationship management platform. Through this breach, attackers accessed personal data including names, first names, dates of birth, postal addresses, email addresses, and telephone numbers. Additionally, commercial information such as recent purchases, quotes, the name of the customer’s mutual insurance provider, the date of the last appointment, the optical brand to which the customer is attached, and details about parental status were exposed. Alain Afflelou emphasized that no banking data, social security numbers, visual correction details, hearing-related information, or passwords were contained in the compromised dataset. The total number of customers affected by the leak has not been disclosed.
In its communication, the company said it had taken the necessary measures to prevent a recurrence and, to date, had no evidence of fraudulent use of the exposed data. An investigation into the incident is underway, and Alain Afflelou has filed a report with the French data protection authority, the CNIL. The firm also noted that it has been active in the teleconsultation sector since 2022, although the announcement did not link this activity to the breach. When approached for comment by Tech&Co, Alain Afflelou had not yet provided a response.