More than 10,000 recipients of the French social security agency CAF saw their data exposed for nearly a year and a half, after a file containing personal information was sent to a service provider responsible for training the organization's statisticians. Credit: Getty Images [Editor’s note: This article originally appeared on the Le Monde Informatique website.]More than 10,000 beneficiaries of a local branch of the French social security agency CAF, or Family Allowance Fund, saw their data exposed for about 18 months, after a file containing personal information was sent to a service provider.The mistake, discovered by France Info — Radio France’s news and investigation service — just before the year-end holidays, could hit the CAF hard. The investigation found that the CAF in Gironde (Nouvelle-Aquitaine) sent a file containing sensitive and personal information of 10,204 beneficiaries to a service provider responsible for training the organization’s statisticians. The provider denies having asked to work with real information, and the Gironde CAF apparently failed to specify that the data that was sent included information on current benefit recipients. For the transmission of the file, beneficiary surnames and first names were removed as well as their postal codes, but a lot of other information remained: address (number and street name), date of birth, household composition and income, amounts and types of benefits received (disabled adult allowance, etc.), according to the France Info inquiry. Posted data allowed identification of benefit recipientsFor each file folder, no less than 181 variables were available. The deletion of surnames and first names has not hindered identification of the recipients. Investigating journalists were able to find the identity of most of them. Another error, in this case made by the CAF service provider, was the posting of the file on its website in March 2021, the date of the training. Accessible to everyone, both to CAF agents and to any visitor to the site, and without any encryption protection, the file could be downloaded in one click.Contacted during the investigation, the service provider defended itself by stating that it did not know that the CAF file contained real, and not fictitious, information. It added that it then forgot to remove it, until last week. This news elicited a reaction from digital rights advocacy group La Quadrature du Net, which already had CAF in its sights for a few months, concerning its algorithm for rating recipients.“This data transfer therefore seems to reveal the disregard CAF has for our personal data. Or rather a feeling of ownership of our personal data on the part of its managers, who seem to find it normal to transfer them without any reason to private providers… Or to use them to develop a scoring algorithm targeting the most precarious,” wrote La Quadrature du Net in a commentary on its website. “Thus CAF seems to ignore the basic principles of anonymizing personal data. Proper anonymization requires much more processing so that it is not possible to identify the individuals to whom the data is attached. For example, it is necessary to delete, or at least modify, the directly identifying information (date of birth and address for example),” according to the commentary.It is very likely that French data protection agency CNIL will lead an investigation that could ultimately result in a sanction for breach of the GDPR.On its part, CNAF — the National Family Allowance Fund, which oversees the local CAFs — told France Info that “this data should never have been put online by the service provider” and the document in question was to have a strictly internal use. The CAF Gironde will therefore be subject to an internal investigation. Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe