10,000 recipients see their personal data published on the internet
Contacted before the holiday, Madame L., a resident of the village of Églisottes-et-Chalaures in the Gironde, “fall from the cloud”. Her date of birth, her husband, their address, the amount of support they receive from the Family Allowance Fund (Caf) and even their income are all found on the internet. “I didn’t realize, you taught me”, the 50-year-old said over the phone. Ditto to Mrs F. from Saint-Sulpice-et-Cameyrac, Mrs B. from Cabanac-et-Villagrains and the dozen or so other people we contacted. Passed out and a little angry too.
The origin of the “leak” that Radio France’s investigative cell has revealed to you, is the Gironde family’s alimony fund. The organization (private status, charged with a public service mission, like all Cafés) regularly trains its agents, particularly its statisticians. To teach them the R language, a programming language for statistics, he contacted a service provider based in the Paris area. And as in all training, there are practical cases with practice.
In this context, Café de Gironde communicated to its clients a file containing the personal data of 10,204 recipients with precise accuracy. Surname and first name were removed as well as zip code but much information remains: address (street number and name), date of birth, household composition and income, amount and type of benefit received (RSA, APL, disabled adult allowance, etc.) .), in total, no less than 181 data sheets per beneficiary were disclosed. Even the date of birth of the child and the existence of joint custody are stated in the file. The removal of surnames and first names in no way precludes the identification of recipients because by using a reverse directory on the internet, we are able to discover the identities of most of them.
At the time of training, in March 2021, the service provider placed this file online on their website (see screenshot below). Far from being reserved only for Caf agents, access to this data is possible for everyone. Just click on the file called caf.zip. “When Caf communicated this data to me, I thought it was fictitious”today defends the service provider, whose anonymity we maintain. “We don’t need real data for training, only ‘realistic’ data. The file was made available on my site as part of an online training and I failed to review it afterwards.” As soon as we contacted him, this trainer removed the file from his site. He will still live there… 18 months.
Beyond this “negligence”, it is the transmission of this data by Caf to third parties that raises questions. “This is sensitive personal data. In my opinion, Caf has no legal right to export this data, explains Bastien Le Querrec, attorney at La Quadrature du Net. “We have windows on the intimate lives of more than 10,000 people with very precise information”complained Alexandre*, another member of the association. It is very problematic that Caf allowed himself to send this data to a private service provider, could have done this training with a fictitious data set”, he continued. So what does the law say? According to Alexandra Iteanu, a data protection lawyer, “For the transfer of personal data to be legal, it must be based on one of the six legal bases imposed by the GDPR [Règlement général sur la protection des données, NDLR] : agreements, contracts, missions of public interest, protection of vital interests, legitimate interests and legal obligations. Accordingly, CAF has no right to communicate this data unless notifying the person concerned in advance and obtaining their consent., concluded the lawyer. In situations like this, sanctions can be of three types: administrative (spoken by Cnil), civil, and even criminal. It must be said that the damage can be significant for the recipient. “With so much data available online, the biggest risk is identity theftexplains Bastien Le Querrec. There may also be malicious targeting. For example, we receive a message saying ‘take this step for your child’, and we connect to a fraudulent platform. Asked about this case, the press service of the National Family Allowance Fund (Cnaf) answered that way “this data should never be displayed online by service providers” and the latter has received files as part of “of a very limited formation” with a staff “subject to professional confidentiality”. The document, we are told, has a use for it “very deep”. CAF de Gironde will inform the 10,204 beneficiaries concerned and has opened an internal investigation to “understand how this situation arose and implement a more stringent follow-up system”.
*Assumed first name
Issuing a warning:
In order to anonymously and securely send information to the investigative unit of Radio France, you can now click here: alerter.radiofrance.fr