[Editor’s note: This article originally appeared on the Le Monde Informatique website.]
More than 10,000 beneficiaries of a local branch of the French social security agency CAF, or Family Allowance Fund, saw their data exposed for about 18 months, after a file containing personal information was sent to a service provider.
The mistake, discovered by France Info — Radio France’s news and investigation service — just before the year-end holidays, could hit the CAF hard. The investigation found that the CAF in Gironde (Nouvelle-Aquitaine) sent a file containing sensitive and personal information of 10,204 beneficiaries to a service provider responsible for training the organization’s statisticians.
The provider denies having asked to work with real information, and the Gironde CAF apparently failed to specify that the data that was sent included information on current benefit recipients.
For the transmission of the file, beneficiary surnames and first names were removed as well as their postal codes, but a lot of other information remained: address (number and street name), date of birth, household composition and income, amounts and types of benefits received (disabled adult allowance, etc.), according to the France Info inquiry.
Posted data allowed identification of benefit recipients
For each file folder, no less than 181 variables were available. The deletion of surnames and first names has not hindered identification of the recipients. Investigating journalists were able to find the identity of most of them.
Another error, in this case made by the CAF service provider, was the posting of the file on its website in March 2021, the date of the training. Accessible to everyone, both to CAF agents and to any visitor to the site, and without any encryption protection, the file could be downloaded in one click.
Contacted during the investigation, the service provider defended itself by stating that it did not know that the CAF file contained real, and not fictitious, information. It added that it then forgot to remove it, until last week. This news elicited a reaction from digital rights advocacy group La Quadrature du Net, which already had CAF in its sights for a few months, concerning its algorithm for rating recipients.
“This data transfer therefore seems to reveal the disregard CAF has for our personal data. Or rather a feeling of ownership of our personal data on the part of its managers, who seem to find it normal to transfer them without any reason to private providers… Or to use them to develop a scoring algorithm targeting the most precarious,” wrote La Quadrature du Net in a commentary on its website.
“Thus CAF seems to ignore the basic principles of anonymizing personal data. Proper anonymization requires much more processing so that it is not possible to identify the individuals to whom the data is attached. For example, it is necessary to delete, or at least modify, the directly identifying information (date of birth and address for example),” according to the commentary.
It is very likely that French data protection agency CNIL will lead an investigation that could ultimately result in a sanction for breach of the GDPR.
On its part, CNAF — the National Family Allowance Fund, which oversees the local CAFs — told France Info that “this data should never have been put online by the service provider” and the document in question was to have a strictly internal use. The CAF Gironde will therefore be subject to an internal investigation.