Personal data related to 1.4 million covid tests has been stolen by hackers. They would have exploited vulnerabilities in a tool used by AP-HP, used as a bridge between laboratories and Health Insurance.
Another health data leak. On Wednesday September 15, 2021, the Assistance publique – Hôpitaux de Paris (AP-HP), announced in a press release that it had suffered a security incident ” during the summer », Incident that she could not confirm until September 12th. She lodged a complaint with the Paris public prosecutor.
The intruders obtained data from 1.4 million people who performed covid tests. The problem now appears to be under control, but the AP-HP has not yet completed its investigation.
This incident is the second leak related to covid testing in the space of two weeks. On August 31, Mediapart was warned of a security breach on the site of Francetest, an intermediary between pharmacies and the government platform, which exposed the personal data of 700,000 people tested.
To better understand the AP-HP incident and its consequences, here is what we know (and don’t know).
What happened ?
” During the summer “, Hackers (we will use the plural, but it could also be a single person) managed to steal” files containing personal data “, According to the AP-HP. The organization uses the term ” computer attack », A sign that to access the data, criminals would have exploited software vulnerabilities. This is an important detail to assess possible breaches of the AP-HP in its security obligations, because many leaks are simply related to poor security of the databases.
The establishment specifies that the hackers have targeted a ” A secure file sharing service hosted and used by the AP-HP, which enables it to provide secure storage and sharing of files, internally and externally. “Asked on the subject by Numerama, the AP-HP did not specify who had developed the tool. But by stating that it is ” hosted on its own technical infrastructure She recalls that she was in control of her security.
This software was used in addition to the SI-DEP, the national screening information system which serves to centralize and certify the tests, itself managed by the AP-HP (but spared by the attack). Concretely, it is used to transmit the results produced by the laboratories to the Health Insurance and the regional health agencies, for the follow-up of the tracing of contacts.
During August, the SI-DEP accused a failure in its transmission tools, which prevented patients from obtaining the QR Code which served as a health pass. It was then that the hacked tool was mainly used.
What data has been leaked?
The AP-HP indicates that the incident affects only the data collected within the framework of 1.4 million tests. Each of them contains:
- The identity of the patient being tested.
- His social security number.
- His coordinates. The HP AP does not give the details, but the term can refer to the home address, email address and phone number of the victim, usually requested during a test.
- The identity and contact details of the healthcare professional who performed the test.
- The type of test performed.
- The result of the test. This last information gives a completely different magnitude to the incident, since it is about a health data, considered as ” sensitive data »Under the law.
What can a thief do with this data?
The stolen database is of great value because it contains a large amount of data about each person. Hackers can consider several malicious scenarios:
- Sending phishing, by email or SMS. Using the information from the leak, thieves can create a convincing fake message, with the aim of obtaining the victim’s credit card information or credentials. For example, they could pretend to be Medicare, and hold up a bogus reimbursement. By displaying the social security number – a datum in theory well protected – it would increase their chance of success, because the message would be more credible.
- Theft of important accounts. In the leaking data bundle, the social security number has special value. It allows, combined with a password, to connect to France Connect, the authentication platform for public services. This scenario involves relatively laborious handling, but it could for example result in the hacking of the victim’s training account.
How do I know if I am affected?
In its press release, the AP-HP specifies that the leak contains ” almost exclusively “Of the tests carried out” mid-2020 in Île-de-France “. This indication will be enough to dispel the concerns of many, but the period concerned corresponds to departures on summer vacation, a period during which many Parisians have carried out a test in order to be able to travel.
This period of doubt should not last, however. ” All concerned, to whom the AP-HP apologizes, will be informed individually in the coming days. “, Promises the institution. This communication, important and necessary to protect against possible consequences, is provided for by law. The general data protection regulation, known by the acronym RGPD, provides that if a leak is discovered, the affected organization warns the data authority, the Cnil, within 72 hours – which does the AP-HP. Then, in the event that the personal data represents a ” high risk For those concerned, the organization has three additional days to notify them individually.
Once the data is leaked, it is in nature forever. To protect yourself from the consequences of the flight, there is no other solution than to pay extra attention to phishings and other shady behavior.
And now ?
” Investigations continue », Specifies the AP-HP. The investigation could reveal new details about the incident in the coming weeks, but the institution must still make it public. The two competent organizations on the subject, Anssi and Cnil, have been notified. The survey has two main objectives:
- Understand the operating mode and the nature of the vulnerabilities exploited. This could help to better understand what type of hacker may have committed the attack. Were they cybercriminals looking for data to sell? Or state-funded hackers with strategic goals? Uncovering the technical details of the cyberattack could also help other organizations protect themselves against similar attacks.
- Trace the origin of the attack, although it is likely that the perpetrator of the attack will never be identified. Attributing a cyberattack is indeed an imprecise science, especially if the hacker has taken a minimum of precaution. Investigators trace back to IP addresses – that is, machine addresses – but cannot conclude that these devices are the point of origin of the attack. Worse, in the event that the IP address is located abroad, the attribution puzzle becomes even more complex, since issues of international law and diplomacy come into play. There remains the possibility that the attacker or a petty delinquent, who would hardly have protected his tracks, before stealing the data.
In parallel with the investigation, it will be necessary to follow the route of the data leak. Several scenarios are possible:
- Thieves keep the stolen database to themselves, and exploit it for malicious purposes
- Thieves sell it (before or after having exploited it themselves). The stolen information base should indeed have a high market value. The buyer could then decide to use it for his own purposes and / or to resell it himself. Sometimes the chain reselling system results in stolen data being uploaded for free on reputable hacker forums.