Personal data breaches, and in particular computer hacking, exploded in 2021 in France. An increase of nearly 80% compared to 2020, according to the report revealed by the Cnil, the National Commission for Computing and Freedoms, this Wednesday.
SMEs and the health sector
The commission recorded 5,037 personal data breach notifications in 2021, compared to 2,821 in 2020. Nearly 60% of them were computer hacks, the first victims of which are small and medium-sized businesses, and even small businesses. “Less armed than large companies in the face of this threat, they are prime targets for malicious actors”, notes the committee. Because in three out of five cases, it is malicious acts. The science and health sectors are increasingly targetedwith respective increases of 191% and 195% in referrals in one year.
“The health sector is a sector that is still relatively immature in terms of cyber-security. Today, in a hospital, when we have money, we will favor the purchase of a new scanner rather than investing in cyber security”, note Bertrand Pailhès, the director of technologies and innovation of the Cnil, to franceinfo.
Among these hacks, “the most widespread attack remains the ransomware attack”, according to the CNIL. These are, for example, malicious programs that prevent the victim from accessing their data and demand a ransom, or even blackmail for the disclosure of personal data.
Security measures often insufficient
To encourage organizations to comply, the CNIL issued 18 sanctions in 2021, for a record cumulative amount of more than 214 million euros fine.
Half of these penalties relate to “a breach in connection with the security of personal data”which proves that “the security measures taken by organizations often remain insufficient”analyzes the Commission.
The Cnil also pronounced two public sanctions targeting the Ministry of the Interior. First in January 2021, after drones had been used by law enforcement to ensure compliance with the rules of the first confinement. The Commission ordered the ministry to stop using drones without a legal framework and in January 2022, a law was finally enacted to regulate this practice.
Then in September 2021, the Ministry of the Interior was pinned down by the Cnil because the Faed, the automated fingerprint file, kept information too long and contained some on people released, acquitted or who had benefited from a dismissal.