Share this article on:
Roughly half of the population of France has had its data exposed in what is the largest cyber attack ever to hit the country.
Threat actors stole the data of over 33 million French people after they attacked two of the country’s medical insurance service providers – Viamedis and Almerys.
The two companies were targeted five days apart at the beginning of February, leading to almost half of the French population being exposed.
Stolen data includes the name of the health insurer, date of birth, marital status, social security number and the person’s cover package details, according to the French Data Protection Authority (CNIL). The authority urges that “no bank details, medical data, postal address, telephone number or email are involved”.
Viamedis said the attackers gained access to its system on 1 February after phishing credentials from health professionals and logging in.
Almerys said the hackers accessed a portal used by health professionals to gain access but added that the threat actors had not breached its central system.
An investigation into the attack has been launched after both providers filed complaints with the public prosecutor.
CNIL president Marie-Laure Denis said that the investigation by the CNIL intends “to determine whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the obligations of the general data protection regulation.”
Former secretary-general of the CNIL and digital data protection lawyer Yann Padova said an attack of this size is unprecedented in France.
“This is the first time that there has been a violation of this magnitude,” he told French publication FranceInfo.
“The biggest security breach in France.”
Padova advised French citizens to reach out to their insurance to see if they had been in contact with either provider.
“Your first step should be to call your mutual or complementary insurance to find out if they were in contact with these two companies which were the subject of the security breach,” he said, adding that European organisations “have an obligation under European law to inform people”.
The nature of the attack is still not known, nor who the threat actor behind it is. The concern with such a large database of data being stolen extends beyond initial theft and resale. Having such extensive data on hand is an incredibly valuable asset for threat actors, who can then use it for future attacks on both individuals and organisations they are connected to.