The French data protection agency, the CNIL, has opened an investigation into a pair of data breaches at payment processors that together affect nearly half of the country’s population.
At the end of January, cyberattackers compromised data for 33 million French citizens held by the two companies, Viamedis and Almerys, which manage third-party payments for health insurance companies. The combined exposure is the largest-ever data breach for French citizens.
The firms were breached five days apart. Viamedis’ general director stated that threat actors mounted a successful phishing attack on an employee as the initial access vector. Meanwhile, assailants accessed a portal used by health professionals to breach Almerys, according to EuroNews.
“Healthcare services and providers continue to be massively targeted, often due to the very nature of the data they hold, coupled with the lack of funding for cybersecurity solutions and practices,” Darren Williams, CEO and founder at BlackFog, said in an emailed statement. “With the personal data of 33 million people involved, it will be some time before we know the true fallout from this attack.”
The information thieves managed to make off with a range of personally identifiable information (PII), including marital status, dates of birth, and national identification numbers, names of health insurers, and more. However, banking information, medical data, health reimbursements, addresses, telephone numbers, and emails weren’t accessed. Still, the CNIL said policyholders should be on the lookout for follow-on attacks.
“Be careful about the requests you may receive, particularly if they concern reimbursement of health costs, and periodically check the activities and movements on your various accounts,” the CNIL cautioned in its announcement on the Viamedis/Almerys investigation (translated by Google Translate). “Although contact data is not affected by the breach, it is possible that the breached data could be combined with other information from previous data breaches [for social engineering attacks].”
As far as takeaways of the incident for businesses, Max Gannon, senior cyber threat intelligence analyst at Cofense, points out that once again, a single employee falling for a phishing attempt is to blame for a cyberattack affecting millions.
“Although we are likely to see press releases highlighting the sophistication and complexity of the phishing campaign that was used, the truth remains that a single employee falling for a phishing campaign led to data on millions of individuals being compromised,” he says. “A company’s cybersecurity defenses are only as strong as their weakest link, which, as we have seen, is often a single employee. Training employees across the company is one of the most substantial actions that a company can take to better defend itself.”