A service provider has received information on beneficiaries from the Gironde Family Allowances Fund (CAF). He then posted them on the Internet, thinking they were fake.
For a year and a half, the personal data of over 10,000 beneficiaries of the Family Allowance Fund (CAF) were freely accessible on the internet. Unveiled by the investigation unit of French radio, this leak is not the work of a group of cybercriminals, but simply a CAF provider. The posting of sensitive information dates back to March 2021 as part of a training course for CAF agents.
To learn a programming language in the field of statistics, the Gironde CAF has provided a file containing information on 10,204 people who benefit from the organization’s allowances. They are then brought online by the service provider in charge of the training. The only problem is that all of this personal data is real.
“I thought they were fictional”
This set of data was needed as part of the hands-on exercises that accompanied agent training. “When the CAF communicated these data to me, I thought they were fictitious,” defended the service provider, based in the Paris region, to Radio France. He also explains that he didn’t need real data to guarantee his training, just realistic data.
Still accessible on January 1, the file in question was later removed from the provider’s site. If the first and last names were removed from the dataset, they were not anonymized, he regrets Square the net. The association for the defense of fundamental freedoms in the digital environment indicates that addresses or dates of birth remain directly identifying information.
181 punctual data per beneficiary
Furthermore, Radio France’s investigative unit had no problems contacting recipients of the CAF whose personal data was available online. He thus found people’s identities by entering their addresses in a reverse list. Quadrature du Net states that a site such as the Yellow Pages was sufficient for the operation.
In total, the open access file included 181 specific data about each of the recipients. Gender, nationality, date of birth and address were displayed for everyone. Information on housing, personal, medical, professional and family situations has been added. The activity of the spouses was mentioned, as well as the date of birth of the children of the beneficiaries. Finally, the amounts of the indemnities received were detailed.