A 22-year-old young man is the prime suspect in the AP-HP computer attack that leaked 1.4 million test results for Covid-19. The penal code can be very severe against this kind of operation.
The circumstances under which the major leak of medical data at the Assistance Publique-Hôpitaux de Paris (AP-HP) took place are becoming clearer. While the facts date back almost three weeks, the Journal du Dimanche reports, in its October 8 edition, that a suspect was arrested in the Var three days earlier. He was indicted in the wake.
The accused, who is 22 years old, is at high risk. He is prosecuted on several counts, including fraudulent access and maintenance in a system for the automated processing of personal data implemented by the State, the extraction of data in this same system, the collection of this personal data by fraudulent, unfair or unlawful means, and finally, their voluntary unlawful disclosure.
The penal code provides, in particular in these articles 323-1 and 323-3, severe penalties to suppress any unauthorized access, maintenance, extraction, collection and disclosure. Insofar as the affected system is linked to the State, aggravating circumstances are at stake. We are talking about a sentence of 5 years in prison and a fine of 150,000 euros, but also another of 7 years. in prison and a fine of 300,000 euros.
These penalties, which are not mutually exclusive, may also be supplemented by that provided for in article 226-18, still of the penal code. Regarding this collection, the law provides for 5 years in prison and a fine of 300,000 euros. As for disclosure, article 226-22 punishes any culprit with 5 years in prison and a fine of 300,000 euros. For all of these articles, these are ceilings. The actual penalty may be much less.
The suspect publicized his gesture on Twitter and JeuxVideo.com
The speed with which investigators were able to track down this suspect can be explained in part by the fact that he advertised it on his Twitter account (which was called @scrizophrene, but it has been disabled), report our colleagues. He also posted a download link on the jeuxvideo.com forum – it’s not the first time this space has been the unintentional receptacle for leaks.
Speaking publicly about this piracy both on Twitter, which is required to cooperate with the police and the courts at their request, and on jeuxvideo.com, which is also required to comply with French law, was probably not the case. most reasonable idea of ”scrizophrene”, since the authorities can request from these two platforms elements in order to identify the perpetrator.
The person admitted the facts in police custody, adds the Journal du Dimanche. According to France Info, the motivations of the young man, aged 22, combine both political convictions – he says he is opposed to the health pass – and the desire to point out the weaknesses of the health system. But rather than reporting the existence of a vulnerability to the AP-HP or the Ministry of Health, the choice was made to leak data.
The target also raises questions: if it is hostile to the health pass, we can question the fact of having attacked a database concerning Covid-19 screening tests. These are not, in fact, the QR codes of the public. However, coronavirus screening tests, if they are used as part of the health pass, already existed long before this device. Their main goal is to verify his medical status.
The leak was massive, as it exposed the results of 1.4 million people, especially in Île-de-France. Some of the data that was output included the patient’s identity, social security number, contact details, type of test, and result. These are therefore both personal data, but also sensitive data, due to their medical status. They are strictly framed by the GDPR.
The hack was made possible by the exploitation of a computer loophole in software used by the AP-HP to store data on Dispose, an internal tool used to deposit and exchange files between AP members. -HP. Beyond the use of such a vulnerability, questions arise about the way in which the medical data was managed and purged on this service.
Once the security incident was discovered, the AP-HP contacted all the people concerned to explain to them what happened and the steps to be taken. It is essentially a phishing risk that arises for the victims, with the use of this extracted information in an attempt to make a scam credible. Fortunately, there are resources to defend yourself.