33M French Citizens Impacted in Country's Largest-Ever Breach

Viamedis and Almerys, two payment processors widely used by French health insurers, were victims of cyberattackers who struck five days apart.

Paris, view of Eiffel tower and Seine river
Source: John Kellerman via Alamy Stock Photo

The French data protection agency, the CNIL, has opened an investigation into a pair of data breaches at payment processors that together affect nearly half of the country's population.

At the end of January, cyberattackers compromised data for 33 million French citizens held by the two companies, Viamedis and Almerys, which manage third-party payments for health insurance companies. The combined exposure is the largest-ever data breach for French citizens.

The firms were breached five days apart. Viamedis' general director stated that threat actors mounted a successful phishing attack on an employee as the initial access vector. Meanwhile, assailants accessed a portal used by health professionals to breach Almerys, according to EuroNews.

“Healthcare services and providers continue to be massively targeted, often due to the very nature of the data they hold, coupled with the lack of funding for cybersecurity solutions and practices," Darren Williams, CEO and founder at BlackFog, said in an emailed statement. "With the personal data of 33 million people involved, it will be some time before we know the true fallout from this attack."

The information thieves managed to make off with a range of personally identifiable information (PII), including marital status, dates of birth, and national identification numbers, names of health insurers, and more. However, banking information, medical data, health reimbursements, addresses, telephone numbers, and emails weren't accessed. Still, the CNIL said policyholders should be on the lookout for follow-on attacks.

"Be careful about the requests you may receive, particularly if they concern reimbursement of health costs, and periodically check the activities and movements on your various accounts," the CNIL cautioned in its announcement on the Viamedis/Almerys investigation (translated by Google Translate). "Although contact data is not affected by the breach, it is possible that the breached data could be combined with other information from previous data breaches [for social engineering attacks]."

As far as takeaways of the incident for businesses, Max Gannon, senior cyber threat intelligence analyst at Cofense, points out that once again, a single employee falling for a phishing attempt is to blame for a cyberattack affecting millions.

"Although we are likely to see press releases highlighting the sophistication and complexity of the phishing campaign that was used, the truth remains that a single employee falling for a phishing campaign led to data on millions of individuals being compromised," he says. "A company's cybersecurity defenses are only as strong as their weakest link, which, as we have seen, is often a single employee. Training employees across the company is one of the most substantial actions that a company can take to better defend itself."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights