what we know about the theft of data of more than 33 million policyholders in France

Civil status, Social Security number and information on mutual insurance were stolen, the CNIL revealed on Wednesday. On the other hand, banking or medical information would not be part of the stolen data.

One in two French people affected. More than 33 million social security policyholders with third-party payment operators Viamedis and Almerys were affected by a hack at the end of January. The National Commission for Information Technology and Liberties (Cnil) announced on its website that it had opened an investigation on Wednesday February 7. The CNIL denounced a “large-scale” operation and was informed of this computer attack by the two targeted companies. These operators are responsible for managing third-party payment for complementary health insurance. Franceinfo summarizes what we know about this massive cyberattack.

A violation of exceptional magnitude

The attack took place via the theft of healthcare professionals’ identifiers and passwords. The alert was given on February 1 by Viamedis, which warned other companies specializing in third-party payment. It assured that it had disconnected its management platform after the discovery of the intrusion, which did not prevent policyholders from benefiting from third-party payment. Its general director, Christophe Candé, explained that it was not a ransomware attack (malware or virus that blocks access until money has been paid in return).

A few days later, Almerys announced that it had also detected an intrusion. It clarified that its central information system had not suffered an attack. Only sound “portal dedicated to healthcare professionals” was impacted and closed, the company said. The other major third-party payment platforms do not seem to have been affected, according to information collected by AFP from SP santé (subsidiary of Cegedim) and Actil (subsidiary of Apicil).

“The data concerned are, for policyholders and their families, marital status, date of birth and Social Security number, the name of the health insurer as well as the guarantees of the contract subscribed”writes the CNIL in its press release. “Data such as banking information, medical data, health reimbursements, postal details, telephone numbers or even emails would not be affected by the violation”completes the commission. “This is the first time that there has been a violation of this magnitude”, assured Thursday on franceinfo Yann Padova, lawyer specializing in digital data protection and former secretary general of the CNIL. According to him, it is “the biggest security breach in France”.

Difficult to know if an insured person is affected by the attack

In its press release, the CNIL specifies that it is not able to stipulate whether a person is concerned or not, Viamedis and Almerys were intermediary companies between health professionals and complementary health professionals. The authority called on complementary services using these two groups to inform “individually and directly” all their policyholders concerned, warning that she would ensure that this was done “as soon as possible”.

“Your first step should be to call your mutual or complementary insurance to find out if they were in contact with these two companies which were the subject of the security breach”, advises Yann Padova. He specifies that companies “have an obligation under European law to inform people”.

Data that can be used by hackers in the future

According to cybersecurity specialists interviewed by AFP, the exposed data does not have much value as such. “There should also be at least one email and a phone number.” so that they can mount attacks quickly, says Damien Bancal, observer of the black market for stolen data and host of the Zataz.com blog. Tamim Couvillers, analyst at the cybersecurity company Vade, however, warns that they “can quickly be cross-referenced with other files” and be used for future cyberattacks. Having the Social Security number of your target thus allows “to give credibility to a phishing email”he illustrates.

“The risk for people is quite significant, particularly scams, phishing for example, or identity theft.”

Yann Padova, former secretary general of the CNIL

at franceinfo

The former general secretary of the CNIL calls for proof “vigilance and precaution” when opening an email. “If you find that there is a curious email that has arrived to you that looks like it comes from your mutual insurance company, then call them” to check, he recommends. “It’s fresh data”, summarizes to AFP Gérôme Billois, cybersecurity specialist from the company Wavestone. Almerys and Viamedis have not published any information to understand whether the attacks were simply intended to steal data, or whether they could have other goals such as planting ransomware.

An investigation has been opened

Viamedis filed a complaint with the public prosecutor. “Given the scale of the violation”the CNIL will “conduct investigations very quickly” notably “to determine whether the security measures implemented prior to the incident and in response to it were appropriate with regard to the obligations of the General Data Protection Regulation”declared its president Marie-Laure Denis.