The French data protection agency, the CNIL, has opened an investigation into a pair of data breaches at payment processors that together affect nearly half of the country’s population.
At the end of January, cyberattackers compromised data for 33 million French citizens held by the two companies, Viamedis and Almerys, which manage third-party payments for health insurance companies. The combined exposure is the largest-ever data breach for French citizens.
The firms were breached five days apart. Viamedis’ general director stated that threat actors mounted a successful phishing attack on an employee as the initial access vector. Meanwhile, assailants accessed a portal used by health professionals to breach Almerys, according to EuroNews.
“Healthcare services and providers continue to be massively targeted, often due to the very nature of the data they hold, coupled with the lack of funding for cybersecurity solutions and practices," Darren Williams, CEO and founder at BlackFog, said in an emailed statement. “With the personal data of 33 million people involved, it will be some time before we know the true fallout from this attack.”
The information thieves managed to make off with a range of personally identifiable information (PII), including marital status, dates of birth, and national identification numbers, names of health insurers, and more. However, banking information, medical data, health reimbursements, addresses, telephone numbers, and emails weren’t accessed. Still, the CNIL said policyholders should be on the lookout for follow-on attacks.