More than 10,000 recipients of the French social security agency CAF saw their data exposed for nearly a year and a half, after a file containing personal information was sent to a service provider responsible for training the organization's statisticians. Credit: Getty Images [Editor’s note: This article originally appeared on the Le Monde Informatique website.]More than 10,000 beneficiaries of a local branch of the French social security agency CAF, or Family Allowance Fund, saw their data exposed for about 18 months, after a file containing personal information was sent to a service provider.The mistake, discovered by France Info — Radio France’s news and investigation service — just before the year-end holidays, could hit the CAF hard. The investigation found that the CAF in Gironde (Nouvelle-Aquitaine) sent a file containing sensitive and personal information of 10,204 beneficiaries to a service provider responsible for training the organization’s statisticians. The provider denies having asked to work with real information, and the Gironde CAF apparently failed to specify that the data that was sent included information on current benefit recipients. For the transmission of the file, beneficiary surnames and first names were removed as well as their postal codes, but a lot of other information remained: address (number and street name), date of birth, household composition and income, amounts and types of benefits received (disabled adult allowance, etc.), according to the France Info inquiry. Posted data allowed identification of benefit recipientsFor each file folder, no less than 181 variables were available. The deletion of surnames and first names has not hindered identification of the recipients. Investigating journalists were able to find the identity of most of them. Another error, in this case made by the CAF service provider, was the posting of the file on its website in March 2021, the date of the training. Accessible to everyone, both to CAF agents and to any visitor to the site, and without any encryption protection, the file could be downloaded in one click.Contacted during the investigation, the service provider defended itself by stating that it did not know that the CAF file contained real, and not fictitious, information. It added that it then forgot to remove it, until last week. This news elicited a reaction from digital rights advocacy group La Quadrature du Net, which already had CAF in its sights for a few months, concerning its algorithm for rating recipients.“This data transfer therefore seems to reveal the disregard CAF has for our personal data. Or rather a feeling of ownership of our personal data on the part of its managers, who seem to find it normal to transfer them without any reason to private providers… Or to use them to develop a scoring algorithm targeting the most precarious,” wrote La Quadrature du Net in a commentary on its website. “Thus CAF seems to ignore the basic principles of anonymizing personal data. Proper anonymization requires much more processing so that it is not possible to identify the individuals to whom the data is attached. For example, it is necessary to delete, or at least modify, the directly identifying information (date of birth and address for example),” according to the commentary.It is very likely that French data protection agency CNIL will lead an investigation that could ultimately result in a sanction for breach of the GDPR.On its part, CNAF — the National Family Allowance Fund, which oversees the local CAFs — told France Info that “this data should never have been put online by the service provider” and the document in question was to have a strictly internal use. The CAF Gironde will therefore be subject to an internal investigation. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe