A file containing the data of more than 10,000 beneficiaries of the Gironde Family Allowance Fund (CAF) remained freely accessible on the Internet for eighteen months, as revealed by the Radio France investigation unit, Thursday 5 January. Transmitted in March 2021 by CAF de Gironde to one of its service providers, whose name has not been revealed, this data – which corresponded to real beneficiaries – was intended to be used in exercises on statistical tools. intended for CAF employees, but have been posted on the service provider’s website, freely accessible to Internet users.
The file in question did not give the surnames and first names of the persons concerned, but still contained a lot of personal information: address, date of birth, income, amounts, or even type of service received from CAF. According to Radio France, the file thus brought together 181 data points per identified recipient, which makes their “de-anonymization” extremely simple.
Open investigation
The service provider removed the file from its site when this data leak was reported to it by journalists. He nevertheless explains that he was not aware that the data it contained came from real recipients of CAF Gironde. The various exercises set up by this Parisian service provider do not in fact require the use of real data, which explains, according to him, why the incriminated file was not processed with the necessary precautions in terms of data protection. personal data.
Questioned by Radio France, the CAF of Gironde blames the company, which, according to it, should never have put this file online. The organization claims that the latter was supposed to be reserved for internal use, in the context of training with a limited number of staff and with employees subject to professional secrecy. CAF announces that it has opened an internal investigation into this transfer and will inform the 10,024 beneficiaries concerned.
Contacted by The world, the National Commission for Computing and Liberties (CNIL) declared that it had been notified of a data breach on this subject, but does not communicate for the moment on the potential consequences. The CNIL has the possibility of sanctioning organizations that have not complied with the legal framework in force on the protection of personal data, both with the data controller (here CAF) and with the subcontractor (the service provider in charge of training ). The committee also reserves the right to carry out an examination “beyond the single breach in question, on the general level of security of the processing that the breach may reveal”.