Personal data belonging to more than 10,000 benefit claimants in France has been published online after a file was sent to a training provider which believed the list to be ‘fictitious’ and made it freely accessible.
An investigation by Radio France has found that the Caf (Caisse d’Allocations Familiales) in Gironde (Nouvelle-Aquitaine), sent a list of personal data to a provider that was giving training to staff. This provider then put the list online and claims it believed that the data was fictitious.
The file was available for 18 months before the investigation and was only taken down after those involved were contacted by the press.
The data included recipients’ date of birth, address, the sum of benefits received and income. People involved in the breach were contacted by the Caf just before Christmas 2022.
Up to 181 data points
The Caf in Gironde is a private organisation with a public mission like all the Caf offices. It regularly holds training for its staff, especially in statistics and the programming language R. This training is offered by a provider based in Paris and includes practical lessons with exercises.
The Caf sent the provider a list of data belonging to 10,204 recipients. The names had been removed, but the other data remained, with up to 181 data points per recipient included. Some even included the dates of birth and guardian names of children.
Using such data, it would be easy to identify the recipients via online searches, even without using their names to search.
File easily accessible
The file was published on the training provider’s website, and accessible to anyone, simply by clicking on a file called ‘CAF.zip’.
The service provider who put the file online, who has remained anonymous, said: “When the Caf sent me the data, I thought they were fictitious. We do not need real data for training, just ‘realistic’ data.
“The file was made available for training purposes on our website and I omitted to take it down afterwards.”
Bastien Le Querrec, legal expert at digital rights advocacy group la Quadrature du Net, told FranceInfo: “These are sensitive, personal data. I don’t think the Caf even has the right to export this. Here we have a window onto the private lives of 10,000 people, with very precise information.
“It’s very problematic that the Caf has sent this data to a private provider; they could have done this training with a fictitious list.”
Risk of identity theft
Data protection lawyer Alexandre Iteanu said: “For a data transfer to be legal, it must comply with one of six GDPR rules: consent, contractual, the public interest, the safeguarding of vital interest, legitimate interest, or legal obligation.
“The Caf therefore did not have the right to share this data if it had not informed the person concerned or obtained consent in advance.”
People whose data was leaked may be at greater risk of identity theft, malicious scammers, and fraud, said Mr Le Querrec.
Sanctions for the Caf could be severe, including administrative, civil, and even criminal.
When questioned about the incident, a spokesperson for la Caisse nationale des allocations familiales (Cnaf) said: “This data should never have been put online by the provider”.
It said that the provider had been sent the file in the context of “very limited training” for staff who were bound by “professional secrecy”, and that the document was intended for “strictly internal” use only.
Now, the Caf in Gironde will inform the 10,204 recipients affected, many of whom have already been told. The office has also opened an internal enquiry to “understand how this situation was able to happen and put a more stringent system in place”, it said.