New personal data of the French public in the wild, the information no longer surprised anyone at the European Cyber Week conference in Rennes dedicated to cyber security. “If you’ve never been a victim of data theft, it’s because the data is useless,” tweeted one insightful visitor. Managed by Urssaf, this Monday’s Pajemploi service entered a long list of victims. “Personal data that could potentially be taken is last name, first name, date and place of birth, postal address, Social Security number, name of banking institution, Pajemploi number and approval number,” Urssaf lists.
While no useful bank details were part of the looting, this data provides refined raw material for cybercriminals who specialize in “phishing” or “smishing.” Specifically, Social Security numbers, highly personal information prized by fraudsters around the world.
“We are one of the rare countries in the world that provides this level of identification and therefore it is a unique and widely used element to carry out administrative procedures,” said Éric Barbry, lawyer specializing in digital at the Racine law firm. “Like the RIB, it is personal data that is always up to date as it paves the way for social benefits and payments, unlike old accounts on social networks that are rarely used”, added Benoît Grunenwald, cybersecurity expert at Eset.
Various possibilities of online fraud
What can a mind that has bad intentions do about it? Urssaf recommends “increasing vigilance regarding the risks of fraudulent emails, texts or calls.” The first risk for the 1.2 million people affected is being added to databases already circulating on the dark web or supplementing their profiles with missing elements.
Millions of lines compiled into a large file will first be sold to the highest bidder before being distributed. Copied and distributed on a large scale, they also end up in fraudulent packages sold for a few dozen euros to novice hackers on Telegram.
In this particular case, the Social Security number was combined with other documents to carry out a simple and effective scam. “These elements are used to carry out targeted phishing with the Urssaf header with a great chance of attracting attention because the information lends credibility to the fake email,” said Éric Barbry.
These 15 digits, which identify us with the State, can also be recycled to assume identity, open social benefits files or even request reimbursement of questionable expenses from mutual insurance companies. “Cybercriminals are always very creative and can even take the identity of an employer and add fictitious employees to get money back,” assures Benoît Grunenwald.
Each concerned Pajemploi user will be notified individually, but there are few concrete solutions available for potential victims. “Article 82 of the General Data Protection Regulation (GDPR) provides compensation for damages, starting with moral or psychological harm that can be caused by the fear of seeing one’s data disclosed,” recalls lawyer Éric Barbry. This requires taking the case to court as part of a class action and being able to prove actual damages. But in reality, companies or state institutions rarely issue checkbooks as compensation.
