The CAF site and application experienced a major outage on Monday October 11 and Tuesday October 12, 2021. A configuration problem allowed several Internet users to access beneficiary files that do not belong to them. Files that contain a lot of personal information.
From Monday 11 October 2021 in the early morning until Tuesday 12 in the middle of the afternoon, access to the CAF (Caisse des Allocations Familiales) site was severely disrupted. This was due to a configuration error, which had the effect of making many beneficiary files available to people who were not the owners.
What happened on the CAF website?
In its official press release, CAF gives more details on this bug.
On Saturday, October 9, all CAFs in France set up a new tool allowing them to identify themselves on the site via the social security number, ” instead of traditional beneficiary number“. A welcome simplification, which unfortunately caused some problems.
On Sunday October 10 from 9 p.m., ” a computer incident […] led to what some files of beneficiaries may to be consulted through others beneficiaries “. A rather embarrassing situation when you know the amount of personal information contained in a CAF file (date of birth, marital, professional situation, salary, etc.).
⚠️An incident took place yesterday, as part of the implementation of a new connection service to My Account at https://t.co/wUfEnpV5Il. Around 7,000 files were consulted by other beneficiaries for a few hours. Our press release 👉 https://t.co/7rLn73X1yC
– Family Allowances (@cnaf_actus) October 11, 2021
According to Vincent Mazauric, director general of the national family allowances fund, this “ data integrity violation “Was” not due to an attack ” Where ” a vulnerability of the computer system “. It was a simple configuration bug that was responsible for the problem.
To limit damage, the organization therefore cut off access to the site on Monday, October 11 at around 8 a.m. Access now seems to be back on Tuesday, October 12 at 4:30 p.m.
How many people are affected by the bug?
According to CAF, ” eabout 7000 files have summer concerned during a few time », Before access is cut off. A figure sufficient to require an intervention, but not gigantic compared to the 13.6 million beneficiaries registered. There is statistically little chance that you will be affected, therefore.
The people concerned ” will be informed individually “According to the organization, which specifies that beneficiaries with” made a password change before Sunday October 10 at 9 p.m. Are not affected. Only accounts using the temporary password provided by CAF therefore appear to be affected.
The CNIL was informed of the incident, adds the organization.
Is my information safe?
Although the CAF site was not the victim of a computer attack itself, the personal information of a few thousand beneficiaries could be viewed and modified by Internet users who did not own it.
To avoid problems of misappropriation of allocation or modification of personal data, ” thesteps taken during those few hours on these accounts have been canceled »Specifies CAF. Thus, if one or a malicious beneficiary tried to substitute your RIB for his during the bug, you risk nothing.
On the other hand, it is not impossible that beneficiaries could have copied the personal information to which they had access during the bug. The wealth of personal information from files can be useful for phishing campaigns, or worse, identity theft attempts. So be vigilant. Contacted on this subject, CAF did not give us details of how, or when, it intends to reach the beneficiaries concerned.
The CNIL for its part will open an investigation on the file and ask Internet users who have accessed the files of other beneficiaries, that they ” do not take a copy and even less publish them on social networks or elsewhere “. ” The risk is less important than if it were a massive attack, but it is very present and we cannot be safe from malicious people. »Details the CNIL in the newspaper La Provence.
If you are concerned that you have been the victim of the bug, you can therefore go and check that your personal information has not been modified. To do so, log in to your personal space and on the right pane, in the “My profile” frame, select “View or modify”.
The continuation in video