French Gov. Leaks 43 Million People’s Data — ‘France Travail’ Says Sorry
2024-3-16 01:0:43 Author: securityboulevard.com(查看原文) 阅读量:17 收藏

Présidente de France Travail, Alexandre SaubotFrench public employment administration loses control of citizens’ data after biggest breach in Gallic history.

Hackers stole 20 years of personal data relating to job seekers from a French agency. And it went unnoticed for five weeks. The boss of France Travail, Alexandre Saubot, has a right to look grim (as pictured).

It’s just weeks since 33 million French users had their data stolen from a pair of payment providers. In today’s SB Blogwatch, we are vain and we are blind.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TH on OGWT.

«La Grande Cybermalveillance»

What’s the craic? Thomas Leroy is lost in translation—“43 Millions de Personnes ‘Potentiellement’ Concernées par une Cyberattaque”:

Must individually notify all people
A preliminary investigation was opened by the Paris Prosecutor’s Office after a cyberattack suffered by the France Travail website. … This very significant data leak took place between February 6 and March 5, 2024.

The data stolen … were: First and last name, social security number, date of birth, France Travail identifier, email and postal addresses and telephone numbers. … By law, the employment agency must individually notify all people affected by this personal data breach.

France Travail? Qu’est-ce que c’est? Fa-fa-fa-faa, fa-fa-fa-fa Bill Toulas seems to face up to the facts—“French unemployment agency data breach impacts 43 million people”:

Increases the risk
France Travail is the French governmental agency responsible for registering unemployed individuals, providing financial aid, and assisting them in finding jobs. … Hackers stole details belonging to job seekers registered with the agency in the last 20 years. … Data from individuals with a job candidate profile was also exposed.

This data increases the risk of identity theft and phishing for the exposed individuals, so … the country’s data protection agency, the National Commission of [Technology] and Liberties (CNIL) … recommends potentially impacted people to be particularly vigilant with emails, phone calls, and SMS they receive. [It] warns that cybercriminals may use what’s available to correlate with missing data points from other breaches.

La bouche du cheval? Le personnel des relations publiques de France Travail are tense and nervous and they can’t relax:

We obviously apologize
In accordance with our obligations under … GDPR, we have notified CNIL and have also today filed a complaint with the judicial authorities. … Passwords and banking details are not affected by this act of cybermaliciousness. There is therefore no compensation.

A preliminary investigation was opened by the Paris Public Prosecutor’s Office and entrusted to the Cybercrime Brigade of the Paris Judicial Police Department. … Aware of the consequences that this may cause, we will inform all identified people via their personal space or by email to whom we obviously apologize. … The security of [your] data is a constant concern for us.

How does this keep happening? jihadjihad can’t sleep, ’cause their bed’s on fire:

I spent part of my childhood in France. … One thing I’ll never forget is a scene of street construction in a French town: It’s about 11:30am, and three guys all get done with the excavator and jackhammers. One guy goes and grabs something long from the bed of a truck, another heads to the cab and reaches for a brightly colored bundle, and the third guy grabs some chairs from the other side.

Right in the middle of the cordoned-off construction zone, the first guy sets up a folding table, the second guy neatly places a tablecloth on top along with a baguette and bottle of wine and some cheese etc., and the third guy brings up the chairs. These guys sat down for a nice meal for 90 minutes—at least—before getting back to work.

I think my American parents thought, “Wow, how in the hell does anything ever get built in this country?” while my thought was mostly, “That seems really nice, they look so relaxed!”

Surely simply un stéréotype? Don’t touch this Anonymous Coward—they’re a real live wire:

Some countries just regard privacy as more important than others. Working in France years ago I received a letter from HR, addressed to me (at work) and clearly labelled Personal and Confidential. Since I wasn’t there, the office admin opened it to see if it needed attention. She could not understand why I went ballistic, since it was “only” a letter from HR.

I also remember going to the mairie (town hall) to get some information on a planning application for a field next door to our house. I asked to see the plans for the proposed building, as I was legally entitled to do. The secretary just handed me the entire dossier, complete with name, address and salary/mortgage information for the buyer, noting “the plans will be in there somewhere.”

What to do about it? RitchCraft says you better run, run, run, run—run, run, run away:

It should be obvious by now that connecting government systems to the Internet that contain personal citizen data has failed. … You will never secure that data, no matter what you do.

Time to hit the Undo button and start over: … Governments need to invest in a private network that is completely air-gapped.

Is 43M a big number? ThatOne starts a conversation:

Population of France is a little less than 70 million. Given there is a percentage of inhabitants who wouldn’t appear in an employment database—kids/teens, homemakers, gentle(wo)men of leisure—that data must be about everyone having ever lived in France in the last two decades! “Identity Theft For Dummies” will be the next bestseller, I guess.

Speaking of guesswork, manu0601 can’t even finish it:

Remove 20–25% of young people who are studying and you get an idea of how many French people experienced unemployment (you do not sign up at France Travail if you do not look for a job). This is huge.

Meanwhile, IGotOut is heading for glory, OK: [You’re fired—Ed.]

This clearly breaks GDPR, [which] states you should only hold data as long as strictly necessary. I cannot think of a single reason why you’d need information going back 20 years.

Et Enfin:

I hate people when they’re not polite

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Recent Articles By Author

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 589 posts and counting.See all posts by richi


文章来源: https://securityboulevard.com/2024/03/france-travail-hack-richixbw-png/
如有侵权请联系:admin#unsafe.sh