Knowledge leak exposes data of 10,000 French social safety beneficiaries

[Editor’s note: This article originally appeared on the Le Monde Informatique website.]

Greater than 10,000 beneficiaries of an area department of the French social safety company CAF, or Household Allowance Fund, noticed their knowledge uncovered for about 18 months, after a file containing private data was despatched to a service supplier.

The error, found by France Data — Radio France’s information and investigation service — simply earlier than the year-end holidays, might hit the CAF exhausting. The investigation discovered that the CAF in Gironde (Nouvelle-Aquitaine) despatched a file containing delicate and private data of 10,204 beneficiaries to a service supplier chargeable for coaching the group’s statisticians.

The supplier denies having requested to work with actual data, and the Gironde CAF apparently didn’t specify that the info that was despatched included data on present profit recipients.

For the transmission of the file, beneficiary surnames and first names had been eliminated in addition to their postal codes, however loads of different data remained: tackle (quantity and avenue title), date of delivery, family composition and revenue, quantities and varieties of advantages obtained (disabled grownup allowance, and many others.), in keeping with the France Data inquiry.  

Posted knowledge allowed identification of profit recipients

For every file folder, a minimum of 181 variables had been obtainable. The deletion of surnames and first names has not hindered identification of the recipients. Investigating journalists had been capable of finding the identification of most of them.

One other error, on this case made by the CAF service supplier, was the posting of the file on its web site in March 2021, the date of the coaching. Accessible to everybody, each to CAF brokers and to any customer to the positioning, and with none encryption safety, the file might be downloaded in a single click on.

Contacted through the investigation, the service supplier defended itself by stating that it didn’t know that the CAF file contained actual, and never fictitious, data. It added that it then forgot to take away it, till final week. This information elicited a response from digital rights advocacy group La Quadrature du Web, which already had CAF in its sights for just a few months, regarding its algorithm for ranking recipients.

“This knowledge switch due to this fact appears to disclose the disregard CAF has for our private knowledge. Or slightly a sense of possession of our private knowledge on the a part of its managers, who appear to seek out it regular to switch them with none cause to personal suppliers… Or to make use of them to develop a scoring algorithm focusing on essentially the most precarious,” wrote La Quadrature du Net in a commentary on its website. 

“Thus CAF appears to disregard the fundamental rules of anonymizing private knowledge. Correct anonymization requires far more processing in order that it’s not attainable to establish the people to whom the info is hooked up. For instance, it’s essential to delete, or at the very least modify, the immediately figuring out data (date of delivery and tackle for instance),” in keeping with the commentary.

It is vitally probably that French knowledge safety company CNIL will lead an investigation that might in the end end in a sanction for breach of the GDPR.

On its half, CNAF — the Nationwide Household Allowance Fund, which oversees the native CAFs — informed France Data that “this knowledge ought to by no means have been put on-line by the service supplier” and the doc in query was to have a strictly inner use. The CAF Gironde will due to this fact be topic to an inner investigation.

Copyright © 2023 IDG Communications, Inc.