10,204 recipients of CAF Gironde have had their data exposed for nearly a year and a half. In question, the transmission of a file containing personal information to a service provider in charge of training the organization’s statisticians.
This is a negligence that could cost the Gironde Family Allowances Fund (CAF) dearly. Just before the Christmas holidays, investigated the investigative unit of Radio France about a personal data leak within this organization. It turns out that she handed over to one of her training providers, based in the Paris region, a file containing sensitive and personal information of 10,204 recipients. What follows is a series of mistakes made by the various protagonists. First of all, why was the training company in possession of this file? He is responsible for training CAF agents, in particular statisticians, reveals France Info. However, the appellant denies having asked to work with real information and the Gironde CAF allegedly failed to specify that they were the current recipients.
Thus, during the transmission of the file, the surnames and first names as well as the zip codes were removed, but many other information remained: address (house number and street), date of birth, composition and income of the household, amounts and types of benefits received (RSA, APL, allowance for disabled adults, etc.), explains France Info. No less than 181 variables are available for each folder. The deletion of surnames and first names did not hinder the identification of the recipients, the investigation by journalists made it possible to trace the identity of most of them. The second mistake made by the provider this time is the publication of the file on its website in March 2021, the date of formation. Accessible to all, both CAF agents and any site visitor, and without any encryption protection, the file could be downloaded with one click.
A shaky defense, an open internal investigation
Contacted during the investigation, the service provider defended itself by stating that it did not know at the material time that this file contained real and not fictitious information. He adds that he then forgot to remove it, until this week. News that has not failed to react Network squaringwhich had already had CAF in its sights for a few months its beneficiary scoring algorithm. “This data transfer therefore seems to reveal the lack of respect that CAF has for our personal data. Or rather a feeling of ownership of our personal data by its managers, who seem to find it normal to transfer them without any reason to private service providers… Or to use them to develop a scoring algorithm aimed at the most precarious”, declares the association.
He adds: “So CAF seems to ignore the basic principles of anonymisation of personal data. Proper anonymization requires much more processing so that it is not possible to identify the persons to whom the data is attached. For example, it is necessary to eliminate, or at least modify, directly identifying information (date of birth and address for example). It is very likely that the CNIL will lead the investigation on its side which could ultimately lead to a fine for violation of the GDPR. Regarding the defense of the CNAF, the national body that brings together all the CAFs in France replies that “these data should never have been put online by the service provider” and the document was to have a strictly internal use. An internal investigation will then be opened within CAF Gironde and the 10,204 recipients will be informed of the leak.