Breach in French labor history database impacts up to 43 million people for past 20 years showing what a great idea huge centralised databases are

A French government department – responsible for registering and assisting unemployed people – is the latest victim of a mega data breach that compromised the information of up to 43 million citizens.

France Travail announced on Wednesday that it informed the country’s data protection watchdog (CNIL) of an incident that exposed a swathe of personal information about individuals dating back 20 years.

The department’s statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed.

[…]

It’s not clear whether the database’s entire contents were stolen by attackers, but the announcement suggests that at least some of the data was extracted.

“The database allegedly extracted illicitly contains the personal identification data of people currently registered, people previously registered over the last 20 years as well as people not registered on the list of job seekers but having a candidate space on francetravail.fr,” the statement reads, which was translated electronically from French.

“It is therefore potentially the personal data of 43 million people which have been exfiltrated.”

The Cybercrime Brigade of the Paris Judicial Police Department is heading up the investigation into the breach, which it says was carried out between February 6 and March 5.

[…]

“It’s not clear how the attack happened apart from reports that the attackers posed as members of Cap Emploi. This could indicate some kind of social engineering over a more technical attack, or likely the two together.”

Cap Emploi, is a similar department that looks after disabled people looking for work.

France Travail will soon undertake the mammoth task of directly informing those affected by email or by other means, and has apologized for the incident.

[…]

This data breach is a real stinker for France Travail, which seems to be unable to catch a break. In August last year, it was caught up in an incident at a service provider that also compromised the data of an estimasted 10 million French citizens.

Wider reporting at the time pinned the blamed for the attacks on Cl0p’s supply chain assault of MOVEit MFT.

It’s been a tough month for France in terms of cybersecurity and data protection too. Just a month ago, the contry was contending with what was called the largest-ever data breach.

Data breaches at Viamedis and Almerys, two third-party payment providers for healthcare and insurance companies, led to more than 33 million people’s data being compromised.

Yann Padova, a data protection lawyer and former secretary general at the CNIL, told Franceinfo at the time that he believed the incident to be the largest of its kind in France.

[…]

Source: Record mega breach in France impacts up to 43 million people • The Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com