back to article Record breach of French government exposes up to 43 million people's data

A French government department - responsible for registering and assisting unemployed people - is the latest victim of a mega data breach that compromised the information of up to 43 million citizens. France Travail announced on Wednesday that it informed the country's data protection watchdog (CNIL) of an incident that …

  1. Mike 137 Silver badge

    Not again ...

    Adversaries masquerading as another government department is an interesting departure, but (as usual) what we haven't been told is what the primary vector was -- e.g. how did the get into the position to be able to masquerade?

    I'm becoming convinced that most of these massive breaches are actually pretty trivial to initiate, which reflects badly on the general infosec stance of the victims. We urgently need to beef up our pre-emptive defences, as opposed to continuing in the reactive mode in which infosec still largely seems to be stuck.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not again ...

      That's the idea behind NIS2 and DORA, but (a) that has been clearly more focused on being so complex you need to sponsor a herd of the usual consultants to get anywhere near implementing it and (b) governments have a tendency to consider themselves exempt from both their own legislation and, well, sanity..

    2. MrGreen

      Re: Not again ...

      If you were to visit some of these departments and heard how lax their attitude toward cyber threats were, your jaw would be on the floor.

    3. ThatOne Silver badge
      Facepalm

      Re: Not again ...

      > how did the get into the position to be able to masquerade?

      Well, I guess they simply said they were from that other department. Obviously you'd trust them, because if they weren't actually from that other department, they wouldn't say so, isn't it. *shrug*

  2. Anonymous Coward
    Anonymous Coward

    Any public cloud is safer

    Because any public cloud already has all the data and more. For example people send emails with personal details and never delete them.

    Shared implementation of such PII-access over a few big cloud providers would be a much safer solution. The access should be logged and mostly ingress-only, with semi-cold storage, and protection against bulk-downloads.

    Why is big cloud safer? Because it has concentrated the best cyber-security experts from all over the World. And no, they are not purely American. Take any Big One, and you will see any country represented.

    Some EU countries never appear in the top-hacked list. Maybe good implementations already exist.

    1. Mike 137 Silver badge

      Re: Any public cloud is safer

      "Why is big cloud safer? Because it has concentrated the best cyber-security experts from all over the World"

      But if, as frequently happens, the adversary penetrates your cloud instance via your own endpoints, none of that ostensible super-security of the cloud means diddly. This is a seriously common error -- to assume that because the provider's infrastructure is well protected against attacks on that infrastructure (and it usually is), your security can rely on that as your 'security'. If someone successfully masquerades as one of your employees, they can do whatever that employee is allowed to do with your data (and in fact, probably more in most cases).

      1. Anonymous Coward
        Anonymous Coward

        > they can do whatever that employee is allowed to

        No employee should be able to, except accessing a single person PII at a time of providing a service. The access should be logged and the data owner (client, person) getting immediate SMS who accessed his data and which data specifically. Maybe even requiring a granting access for this specific operation through an app or replying to the SMS with "OK".

    2. Anonymous Coward
      Anonymous Coward

      Re: Any public cloud is safer

      Some EU countries never appear in the top-hacked list. Maybe good implementations already exist.

      Some countries just regard privacy as more important than others.

      Working in France years ago I received a letter from HR, addressed to me (at work) and clearly labelled Personal and Confidential. Since I wasn't there, the office admin opened it to see if it needed attention. She could not understand why I went ballistic, since it was "only" a letter from HR.

      I also remember going to the mairie (town hall) to get some information on a planning application for a field next door to our house. I asked to see the plans for the proposed building, as I was legally entitled to do. The secretary just handed me the entire dossier, complete with name, address and salary/mortgage information for the buyer, noting "the plans will be in there somewhere".

      1. Anonymous Coward
        Anonymous Coward

        > The secretary just handed me the entire dossier

        Intelligence of 50% of population is below average. Training does not help much.

        So make bulk-read of PII impossible by default. No, you should not be able to download the whole DB of data "to do some analysis", even if you are part of the gov organization with access.

        To Mike 137: As above, make it literally impossible. Nobody should have bulk-access, only aggregated data and some meta-data.

        1. Yet Another Anonymous coward Silver badge

          Re: > The secretary just handed me the entire dossier

          >To Mike 137: As above, make it literally impossible. Nobody should have bulk-access, only aggregated data and some meta-data.

          Tricky if you're the admin running the backup

      2. Anonymous Coward
        Anonymous Coward

        Re: Any public cloud is safer

        I can't vouch for pre-GDPR France but in Spain GDPR + a data protection agency willing to fine sorted out many organisations.

  3. Pascal Monett Silver badge

    "up to 43 million citizens [..] dating back 20 years"

    Well that's just about every citizen of working age since modern records exist.

    So . . . I'm in there somewhere !

    1. Ball boy Silver badge
      Joke

      Re: "up to 43 million citizens [..] dating back 20 years"

      The good news, Pascal, is that you can now shit-post as much as you want on here - just blame your doppelgänger for it all ;)

    2. ThatOne Silver badge
      Facepalm

      Re: "up to 43 million citizens [..] dating back 20 years"

      > I'm in there somewhere !

      Wikipedia says population of France is a little less than 70 millions. Given there is a percentage of inhabitants who wouldn't appear in an employment database (kids/teens, homemakers, gentle(wo)men of leisure...), that data must be about everyone having ever lived in France in the last two decades!

      "Identity Theft For Dummies" will be the next bestseller I guess.

  4. Tron Silver badge

    Worth noting.

    Anyone accumulating all of the data on these hacks would have the makings of a fabulous genealogy and social history resource for future generations.

  5. HuBo Silver badge
    Pirate

    Cybermalveillance and rançongiciel (à double extorsion) suck!

    Cyberattacks like these should definitely strengthen our resolve for a more strongly federated European Union in my mind. The upcoming European Elections (June 6-9, '24) should be a great occasion to send a strong message on cybersecurity and against foreign cybercriminality and influence by the usual suspects (Russia, China, ...). CNIL, DINUM, and the Paris Police Cybercrime Brigade do great work, but I can't help but wish for some slightly larger, federated, bureau, of investigation, that would tackle these issues with a more comprehensive perspective and resources (eg. in response to the "Anonymous Sudan" attacks on Germany, Denmark, Sweden, and France).

    In the meantime, with the Russian electoral "tombola" (raffle) starting tomorrow (Friday), remember (25 years of Putin is enough): Vote Pussy Riot!

    1. IGotOut Silver badge

      Re: Cybermalveillance and rançongiciel (à double extorsion) suck!

      "...larger, federated, bureau, of investigation, that would tackle these issues with a more comprehensive perspective and resources"

      Like an International police force. Maybe shorten the name to something like InterPol?

      1. HuBo Silver badge
        Pint

        Re: Cybermalveillance and rançongiciel (à double extorsion) suck!

        Right on! Like Interpol (196 member countries), but smaller (limited to the EU); maybe Europol and its EUCTF. But what they do at present is "meets twice yearly at Europol and provides a forum for the heads of the EU cybercrime units". So, not really a federated, and resourced, cybercrime fighting body at present ... (and nowhere to be seen, action-wise, in related newspieces).

  6. IGotOut Silver badge

    This clearly breaks GDPR

    It clearly states you should only hold data has long as strictly necessary. I cannot think of a single reason why you'd need information going back 20 years.

    1. heyrick Silver badge

      Re: This clearly breaks GDPR

      I came here to post exactly that - as 43 million people is, like, half of the country's population.

    2. Mike 137 Silver badge

      Re: This clearly breaks GDPR

      " I cannot think of a single reason why you'd need information going back 20 years"

      E.g. pension entitlements, disability claim histories, marriage and birth records ...

      1. heyrick Silver badge

        Re: This clearly breaks GDPR

        "pension entitlements, disability claim histories, marriage and birth records ..."

        How is any of that relevant to an outfit helping people find work twenty years later?

        Claim histories should be with either Ameli or the CAF, pension entitlements should be with... whoever (Assedic? I forget), and marriage and birth records again should be with the relevant places.

        This information can be voluntarily shared, you know? I hope they've heard of FranceConnect so it isn't necessary for everybody to cling on to every bit of information because they can.

        I'm surprised they don't purge records after X years (leaving only anonymised data points for reference).

        1. Anonymous Coward
          Anonymous Coward

          Re: This clearly breaks GDPR

          I'm afraid this is an issue of database interconnections. Employment -> Social Security -> Retirement, all is interconnected. So I guess that if you manage to get into one of those, you can have them all.

          Given the data hoarding habits of everyone everywhere, and since those databases aren't protected (agencies are usually already happy when the whole thing works more or less as expected), the only limit is how much disk space the hacker can spend to downloading stuff.

          1. heyrick Silver badge

            Re: This clearly breaks GDPR

            Upvoted because.... "sad but true".

      2. EnviableOne

        Re: This clearly breaks GDPR

        not relevant data for the agency that processes unemployment

        Article 5 1C of gdpr:

        1. Personal data shall be:

        (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)

  7. MrGreen

    Perfect Example

    This is a perfect example of why Digital ID should never be allowed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perfect Example

      Well, you have the Social Security number which is your ID (being unique and impossible to change).

  8. IanRS

    Too little, too late

    "Also, as soon as we became aware of this intrusion, we took additional measures with the Cap emploi network to strengthen our systems for protecting access to our applications by our partners."

    i.e. As soon as the horse had bolted, we shut the stable gate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like