France’s data protection agency, the CNIL, has opened an investigation into a pair of data breaches at payment processors that together affect nearly half of the country’s population.
At the end of January, attackers compromised the data of 33 million French citizens held by the two companies Viamedis and Almerys, which manage third-party payments for health insurance companies. The combined exposure is the the largest data breach ever for French citizens.
The companies were hacked five days apart. The CEO of Viamedis said that the threat actors successfully launched a phishing attack against an employee as the initial entry vector. Meanwhile, the attackers entered a portal used by healthcare workers to hack Almerys, according to EuroNews.
“Healthcare services and providers continue to be massively targeted, often due to the very nature of the data they hold, combined with a lack of funding for cybersecurity solutions and practices,” said Darren Williams, CEO and founder of BlackFog, in an emailed statement. “With the personal data of 33 million people affected, it will be some time before we know the true consequences of this attack.”
The information thieves got away with a variety of personally identifiable information (PII), including marital status, dates of birth and national identification numbers, names of health insurers, and more. However, banking information, medical records, healthcare reimbursements, addresses, phone numbers and emails were not accessed. However, the CNIL said policyholders should be wary of follow-up attacks.
“Pay attention to the requests you may receive, especially if they concern the reimbursement of health expenses, and periodically check the activities and movements on your different accounts”, warned the CNIL in its announcement on the Viamedis/Almerys investigation (translated by Google Translate). “Although contact data is not affected by the breach, it is possible that the breached data could be combined with other information from previous data breaches [for social engineering attacks].”
As for the highlights of the incident for businesses, Max Gannon, senior cyber threat intelligence analyst at Cofense, highlights that once again a single employee fell victim to a phishing attempt is responsible for a cyber attack affecting millions of people.
“While we are likely to see press releases highlighting the sophistication and complexity of the phishing campaign used, the truth remains that a single employee falling for a phishing campaign has led to the data of millions of individuals being compromised,” he says . “A company’s cybersecurity defenses are only as strong as its weakest link, which, as we’ve seen, is often a single employee. Employee training across the company it is one of the most substantial actions a company can take to better defend itself.”