Receive family benefits in France? Why you must change your password

A hacker group claims it has access to 600,000 accounts

The Caf says everyone with an account will have to change their password due the activity of a hacker group
Published Last updated

Everyone who receives benefits from the Caisse d'allocations familiales (Caf) has to change their password due to the activity of hackers who claim to have access to hundreds of thousands of accounts.

Caf, which organises the payment of family, housing and disability benefits, as well as the prime d’activité, revealed the data breach on February 23.

“After several days of investigations, we have identified a data breach,” it said in a statement.

“Several thousand accounts have been visited illegally. Ill-intentioned individuals have connected to these accounts using our beneficiaries’ real passwords that have been usurped and made available on the darkweb.”

The hack is not believed to be related to the data breach of 33 million social security numbers taken from the payment systems of insurance top-up providers announced on February 2.

What has happened to the Caf website?

The hacker group, known as LulzSec, claims to have access to 600,000 accounts, which could allow them to access beneficiaries’ personal information, including revenues and benefit rights. However, the Caf has not confirmed the extent of the breach.

Indeed, it reports that its website has been “in no way compromised” and that the beneficiaries passwords were likely breached by some other means than hacking.

Nonetheless, the Caf has informed the French data protection watchdog la Commission nationale de l'informatique et des libertés (CNIL) about the issue and an investigation has been launched.

The hackers are not believed to have access to bank details or the ability to divert benefit payments to other accounts.

“To change bank details online requires an additional security check to verify that the request is legitimate,” announced the CNIL. “In case of any doubt, the request must be validated by Caf personnel”.

‘Everyone has to change their password’

“All people whose accounts have been compromised are being contacted and their passwords re-initialised to prevent further access by unauthorised individuals,” announced the Caf.

In addition, the Caf says that everyone with an account must change their passwords as a precaution from March 8.

This means that anyone accessing the Caf website will be invited to reset their passwords. It advises people to set a password of at least 10 characters with a mix of capital and lowercase letters, numbers and symbols.

People whose accounts were compromised are potentially at risk from further attacks, particularly if they use the same password on several websites.

They also face the threat of directed phishing attempts in which scammers use knowledge of their personal data to convince victims to agree to making payments or purchases.

Read more

Benefit controls in France: Criticism of how people are selected

Benefits in France: revenu de solidarité active (RSA) for work seekers

Millions of workers in France can receive up to €600 a month in aid