top cx logo
cx logo
Explorearrow down
search icon

Personal details of 10,200 benefit claimants placed online in France

A file showing dates of birth, addresses and income levels was publicly accessible for 18 months. It had been sent to a training firm which says it thought it was a fictitious list

A graphic concept of someone at the computer looking at personal files

The data was publicly available to download online for 18 months before being removed Pic: Thapana_Studio / Shutterstock

Personal data belonging to more than 10,000 benefit claimants in France has been published online after a file was sent to a training provider which believed the list to be ‘fictitious’ and made it freely accessible.

An investigation by Radio France has found that the Caf (Caisse d’Allocations Familiales) in Gironde (Nouvelle-Aquitaine), sent a list of personal data to a provider that was giving training to staff. This provider then put the list online and claims it believed that the data was fictitious.

The file was available for 18 months before the investigation and was only taken down after those involved were contacted by the press.

The data included recipients’ date of birth, address, the sum of benefits received and income. People involved in the breach were contacted by the Caf just before Christmas 2022. 

Up to 181 data points 

The Caf in Gironde is a private organisation with a public mission like all the Caf offices. It regularly holds training for its staff, especially in statistics and the programming language R. This training is offered by a provider based in Paris and includes practical lessons with exercises.

The Caf sent the provider a list of data belonging to 10,204 recipients. The names had been removed, but the other data remained, with up to 181 data points per recipient included. Some even included the dates of birth and guardian names of children. 

Using such data, it would be easy to identify the recipients via online searches, even without using their names to search.

File easily accessible 

The file was published on the training provider’s website, and accessible to anyone, simply by clicking on a file called ‘CAF.zip’.

The service provider who put the file online, who has remained anonymous, said: “When the Caf sent me the data, I thought they were fictitious. We do not need real data for training, just ‘realistic’ data.

“The file was made available for training purposes on our website and I omitted to take it down afterwards.”

Bastien Le Querrec, legal expert at digital rights advocacy group la Quadrature du Net, told FranceInfo: “These are sensitive, personal data. I don’t think the Caf even has the right to export this. Here we have a window onto the private lives of 10,000 people, with very precise information.

“It’s very problematic that the Caf has sent this data to a private provider; they could have done this training with a fictitious list.”

Risk of identity theft 

Data protection lawyer Alexandre Iteanu said: “For a data transfer to be legal, it must comply with one of six GDPR rules: consent, contractual, the public interest, the safeguarding of vital interest, legitimate interest, or legal obligation.

“The Caf therefore did not have the right to share this data if it had not informed the person concerned or obtained consent in advance.”

People whose data was leaked may be at greater risk of identity theft, malicious scammers, and fraud, said Mr Le Querrec.

Sanctions for the Caf could be severe, including administrative, civil, and even criminal.

When questioned about the incident, a spokesperson for la Caisse nationale des allocations familiales (Cnaf) said: “This data should never have been put online by the provider”. 

It said that the provider had been sent the file in the context of “very limited training” for staff who were bound by “professional secrecy”, and that the document was intended for “strictly internal” use only.

Now, the Caf in Gironde will inform the 10,204 recipients affected, many of whom have already been told. The office has also opened an internal enquiry to “understand how this situation was able to happen and put a more stringent system in place”, it said.

Related articles

French health insurance data leak: what to do if you are affected

What to do if you are among 1.4 million hit by Paris Covid data theft 

Health insurance: Data of more than 500,000 people stolen in France

Resident or second-home owner in France?
Benefit from our daily digest of headlines and how-to's to help you make the most of life in France
By joining the newsletter, you agree to our Terms & Conditions and Privacy Policy
See more popular articles
The Connexion Help Guides
featured helpguide
Healthcare in France*
Featured Help Guide
- Understand the French healthcare system, how you access it and how you are reimbursed - Useful if you are new to the French healthcare system or want a more in-depth understanding - Reader question and answer section Aimed at non-French nationals living here, the guide gives an overview of what you are (and are not) covered for. There is also information for second-home owners and regular visitors.
Get news, views and information from France