“This is the biggest security breach in France”. More than 33 million people are affected by the theft of their data to third-party payment operators, the National Commission for Information Technology and Liberties (Cnil) announced on Wednesday. Two companies serving as intermediaries between health professionals and complementary health insurance companies are concerned: Viamedis and Almerys, which manage third-party payment for numerous complementary health and mutual insurance companies In France. “This is the first time that there has been a violation of this magnitude”underlined this Thursday on franceinfo the lawyer specializing in digital data protection and former secretary general of the CNIL, Yann Padova.
THE data concerned by this giant leak are “marital status, date of birth and social security number, name of health insurer as well as the guarantees of the contract subscribed”said the digital privacy watchdog in a press release.
Risk of phishing
“The good news in this matter is that there is no banking data, there is no health data, there is no email contact data, phone number phone”notes Gérôme Billois, cybersecurity specialist at the company Wavestone, also on franceinfo. “So that limits the ability for cybercriminals to continue their attacks.”
“They’re going to have to recross with other bases that exist on the Internetsurnames, first names to find people’s emails or telephone numbers”, to be able to do their “great classic”phishing: “That is to say fraudulent emails, fraudulent SMS messages which would urgently ask us to give even more information such as bank card numbers”.
In itself, “It’s not worth much data, there should also be at least one e-mail and a telephone number” confirms Damien Bancal, a great observer of the black market for stolen data and host of the Zataz.com blog. But they “can quickly be crossed with other files”, agrees Tamim Couvilles, analyst at the cybersecurity company Vade. It is in fact “possible that the data which was the subject of the violation is coupled with other information coming from past data leaks“explains the CNIL.
Result, “THE risk for people is quite significantin particular scams, phishing for example, or identity theft”, warns the former secretary general of the CNIL Yann Padova. Especially since these data are “fresh”adds Gérôme Billois.
Contact your complementary or mutual insurance company
There “difficulty” additional, in the eyes of Yann Padova, is that the insured do not don’t know if they are affected or not by these data leaks. The CNIL called on the complementary services using Viamedis and Almerys to inform “individually and directly” all their policyholders concerned, warning that it will ensure that this is done “as soon as possible”.
However, “your first step should be to call your mutual or complementary insurance to find out if they were in contact with these two companies who were the subject of the security breach”, advises the lawyer specializing in digital data protection. He specifies that companies “have an obligation under European law to inform people”.
Be vigilant if you receive a message
The CNIL advises“be careful about requests” that you might receive, “particularly if they concern reimbursement of health costs”but also “to periodically check the activities and movements on your various accounts”.
Yann Padova calls in particular to demonstrate “vigilance and precaution” when opening an email. Have your target’s social security number “helps give credibility to a phishing email”, consisting of convincing the Internet user to click on a malicious link. “If you find that there is a curious email that has arrived to you that looks like it comes from your mutual insurance company, then call them.” to check, he recommends.
Hackers can also use other channels, “SMS, instant messaging”says Gérôme Billois. “As soon as a message asks us for something urgently, the alarms must go off in our brain”.