Record Breach of French Government Exposes Up To 43 Million People's Data

France Travail, the government agency responsible for assisting the unemployed, has fallen victim to a massive data breach exposing the personal information of up to 43 million French citizens dating back two decades, the department announced on Wednesday. The incident, which has been reported to the country's data protection watchdog (CNIL), is the latest in a series of high-profile cyber attacks targeting French government institutions and underscores the growing threat to citizens' private data. From a report: The department's statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed. Passwords and banking details aren't affected, at least. That said, CNIL warned that the data stolen during this incident could be linked to stolen data in other breaches and used to build larger banks of information on any given individual. It's not clear whether the database's entire contents were stolen by attackers, but the announcement suggests that at least some of the data was extracted.

Frontpage has no login

[sinij]

Is it good idea to remove login link from the front page?

It should be obvious by now

[RitchCraft]

It should be obvious by now that connecting government systems to the Internet that contain personal citizen data has failed (same with financial and medical systems as well). You will NEVER secure that data no matter what you do. I know, removing those systems from the Internet would be a HUGE undertaking but what else to do? Governments need to invest in a private network that is completely air-gapped from the world wide Internet. Again HUGE undertaking and expense. It was stupid to connect these systems

SSN

[Voice of satan]

For your information: In France, social security numbers cannot be used as a means of identification as far as i know. They have ID cards for that.

Re:

[ZiggyZiggyZig]

Well... Yes, they can be used. If you check on the login page of France Connect, there is (or was, it's greyed out now) a way to connect via Ameli.fr, and on that one the identifier is the Social Security Number (SSN).

There is a legislation that forbids companies and organizations to use the SSN as an identifier in a database, but of course the government itself is exempt from its own rules (which says a lot about the political situation in the country, but that's another story).

Re:

[ZiggyZiggyZig]

(sorry, forgot some context: Ameli.fr is the website of the French Social Security administration.)

Re:

[Njovich]

They named a government service after a movie?

Re:

[dargaud]

I recall it's some kind of abbreviation, but I don't care enough to check for what.

Not French

[Teun]

Thank God I'm not French...
(Waiting for a similar breach in my place)

Re:

[manu0601]

The population of france is about 66 million so about 66% of the populations data...

Remove 20-25% of young people that are studying, and you get an idea of how many french people experienced unemployment (you do not sign up at France Travail if you do not look for a job). This is huge.

Also, it goes back many decades. That asks about GDPR compliance

Sue them!

[Tony Isaac]

I mean, that's what you do when a company gets breached, right?