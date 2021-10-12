the essential

This Monday, October 11, CAF was forced to close access to the personal accounts of its users, due to a failure. This incident, linked to a new authentication method put in place on Saturday, would have given access to thousands of personal accounts.

This Monday, October 11, the site of the Family Allowance Fund was forced to close access to the personal accounts of its beneficiaries, after a failure related to a new authentication method. The personal data of the users could be consulted by other beneficiaries.

How long has the outage lasted?

Saturday, October 9, all the CAFs in France have set up “a new identification service allowing in particular to connect with its social security number to the services of the CAF, instead of the traditional number of beneficiary”, indicated the Family allowance fund in a press release.

Sunday, a blackout blocked the system. “A computer incident on the caf.fr site on Sunday, October 10 from 9 p.m. led to certain beneficiary files being able to be viewed by other beneficiaries” detailed CAF. “Around 7,000 files were affected for a few hours,” she said. Only people who have changed their password before Sunday October 10 at 9 p.m. are not affected.





“For security reasons, access to the caf.fr site was closed on Monday around 8 am. In order to prevent any possible malicious act, all the procedures carried out during these few hours on these accounts were canceled” CAF assured .

What is this incident due to?

According to Vincent Mazauric, director general of CAF, this “data integrity violation” is not “due to a computer attack”. The informant was therefore not reporting a “computer system vulnerability”. The cause of the incident would however have been “identified” according to the Allowance Fund.

A repair would be in progress “in order to allow the reopening of the service as soon as possible and with all the guarantees of data protection”. The National Commission for Computing and Liberties has been informed of this computer incident.

Have any records been disclosed?

Beneficiaries were able, during this blackout, to consult accounts that were not theirs. Indeed, by entering their personal identifiers, they had access to the data and requests of other beneficiaries. They were therefore able to find out their telephone numbers or addresses.

Despite the organization’s announcement, indicating that only contact data was visible, Internet users affirmed that all of the data in the allocation files was accessible and modifiable, in particular those relating to payments, RIB and installments.