Hand holds credit card and works on keyboard showing data breach at payment providers

Record-Breaking Data Breaches of French Payment Providers May Impact Half of the Country’s Population

A third-party data breach of two French payment providers is the largest in the country’s history, and may impact half of its total population.

Both of the data breach subjects are third-party payment providers for the medical insurance industry. An advisory from national data protection agency CNIL indicates that health insurance and sensitive personal information may have been exposed, including social security numbers.

Data breach of 33 million largest in national history

The data breach is thought to impact about 33 million people in total, or nearly half of the country’s total population of about 67 million.

The first of the payment providers breached was Viamedis, on January 29. Viamedis is the largest of France’s medical third-party payment providers, which work with the national social security services to advance payments for health insurance policyholders. Viamedis confirmed that data breach on February 1.

Just four days later, payment provider Almerys reported its own data breach. It is unclear exactly how many records each of the providers handles or what the full extent of the damage is, but the investigation opened by CNIL provided the estimate of about 33 million impacted individuals between the two incidents. Each of the payment providers has said that it has initiated its own internal investigation.

The prior largest single data breach in France also involved a company in the medical industry, Dedalus Biologie. However, this was a laboratory chain and the leak involved just under half a million medical records and results of Covid-19 tests from 30 of the company’s locations.

Limited details about breaches of payment providers available

Both of the data breaches were hacks by external threat actors, and both incidents are thought to be the work of the same party. However, there are few specific details available about the technical aspects of the breaches at this time.

Viamedis says that the attackers were able to phish employees to establish initial access. Almerys only said that its central network was not breached, but that the attackers managed to gain privileged access to a patient portal.

Though some sensitive patient information has been exposed in the data breach, CNIL told the public that the payment providers did not have bank details, medical data, postal addresses, telephone numbers or e-mail addresses of customers exposed to the hackers. However, CNIL is warning customers that the new leaked data will likely be combined with existing profiles already available on the dark web. In some cases, this might provide the nudge needed to make a scam work.

The reason the data breach impacts nearly half of the population is that the two payment providers are a central piece of the country’s insurance system and two of the largest of their type. Just about everyone with health coverage eventually has information about their policies and payments flow through a provider of this sort, as they decomplicate the process of billing and record-keeping for both insurers and patient care facilities.

Greater detail about the attacks may not be available until CNIL wraps up its investigation, which will include a review of the cybersecurity measures the companies had in place. The investigation will also examine whether either data breach involves a violation of the General Data Protection Regulation (GDPR).

Though much of the data breach is still shrouded in mystery, the available information highlights several trends. One is that employee phishing is still landing with alarming rates of success (and to devastating effect), despite years of repeated warnings by cybersecurity experts. Some recent indicators, such as an October 2023 study by Vade Secure, see phishing rising as the most rapidly increasing attack method. This may be tied to the availability of AI tools that allow non-native speakers to polish phishing messages in other languages, and to quickly assemble copycat websites and email templates. Deepfake audio has also improved greatly in capability, to the point that a relatively small sampling of someone’s public statements can be used to create a synthesis of their voice that can be made to sound reasonably realistic on phone calls. SlashNext’s State of Phishing Report 2023 finds that an average of 31,000 phishing messages are now sent each day.

Another trend the attack on the payment providers highlights is the increasing popularity of health care organizations as a ransomware and data theft attack target. Data-hungry thieves see hospitals, labs and insurers as a one-stop buffet of valuable information used to fuel impersonation and confidence scams, as well as a frequent source of direct credit card and bank information. They are also attractive as ransomware targets due to a perception that they cannot afford to have their systems down for any extended amount of time.

Darren Williams, CEO and Founder of BlackFog, notes that they are also often poorly defended on the IT front: “Healthcare services and providers continue to be massively targeted, often due to the very nature of the data they hold, coupled with the lack of funding for cybersecurity solutions and practices. Given the severity of this attack, the healthcare sector and other organizations in France will no doubt take note and make cybersecurity a priority going forward. With the personal data of 33 million people involved, it will be some time before we know the true fallout from this attack. Organizations must look to newer technologies to prevent data exfiltration, as once data has been exfiltrated, there is no stopping cybercriminals from relentlessly targeting victims through social engineering, phishing, and other types of attacks.”