France’s data protection agency CNIL has reported a data breach involving two French service providers — Viamedis and Almerys. We look at the details of the data breach below.
Salient points
- CNIL reported the data breach involving two service providers on 7 February 2024. You can read more about the notification released by CNIL on this page.
- The data breach happened at Viamedis and Almerys. The two companies manage third-party payments for the medical insurance industry. Both companies are based in France.
- The exact timeline of the data breach is not clear.
- Data of over 33 million French people may have been affected in the data breach. This implies that more than half of France’s population may have been impacted in this data breach.
- The CNIL has initiated an investigation to determine the cause and audit trail of the incident.
What data was breached?
The CNIL has confirmed that the following data was compromised:
- Marital status of the insurer
- Date of birth of the insurer
- The social security number of the insurer
- The name of the health insurer
- The name of the family members of the health insurer
The following personal data was not breached as part of the data breach:
- Banking information
- Medical data
- Health reimbursements
- Postal details
- Telephone numbers
- Contact emails
Current status of the breach
The CNIL has initiated an investigation into the security incident at both service providers. This shall cover the audit trail of the incidents.
In a statement, CNIL said:
“Given the scale of the violation, the president of the CNIL decided to very quickly carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the GDPR obligations.”
The CNIL also said it will push for the breached companies to comply with the European Union’s GDPR (General Data Protection Regulation) rules around victim disclosure.
About CNIL
The CNIL, Commission Nationale Informatique & Libertés, is the French Data Protection Agency. Created in 1978, the CNIL is an independent administrative body that operates in accordance with the data protection legislation of the 6th January 1978 as amended on the 6th August 2004.
The CNIL is the Data Protection Authority for France. The authority is established in Paris and is in charge of enforcing GDPR for France, as well as the national law for data protection “Loi Informatique et Libertés“.
The CNIL issues orders and imposes fines within a restricted formation, meaning one president and five others elected members, pursuant to Article 9 of the Law “Informatique et Libertés“. The CNIL’s internal rules indicate that, unless otherwise justified, the pronunciation of fines is public.
More Security Stories
- Bank of America Data Breach at Infosys McCamish Systems
- CISA adds Roundcube Webmail XSS Vulnerability to KEV catalog
- Zero-day vulnerability in FortiOS – CVE-2024-21762
- Critical Security Vulnerabilities in Cisco Expressway Series
- 2 Critical Vulnerabilities reported by Fortinet
- Verizon Data Breach – Feb 2024
- AnyDesk Cyberattack incident – February 2024
- Cloudflare Data Breach – November 2023
- Ivanti VPN Vulnerabilities – Jan 2024
- Mercedes Source Code Leak – Jan 2024
- Schneider Electric Ransomware attack – Jan 2024
- Android Security Update – Feb 2024
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.