Mediapart discovered a data leak on the site of an antigenic tests manager. Over 700,000 test-related forms were accessible due to several gross bugs. For now, the consequences of the incident remain unclear.
Mediapart revealed, Tuesday, August 31, the leak of 700,000 results of antigenic tests carried out in France. One of their sources discovered several bugs on the site called Francetest, which allowed access to the personal data entered by the test persons: last name, first name, gender, date of birth, Social Security number, email address, telephone number and address. This lot was crowned with the result of the patient’s antigenic test.
Francetest, created in June 2021, sells a unique service. It offers pharmacies to transfer patient data to the SI-DEP file, managed by the Ministry of Health. The latter affixes a certification to the screening and makes it available to the person tested. Concretely, the pharmacy relies on Francetest to digitize the test form, send emails to patients to notify them of the publication of results, and manage shipments to SI-DEP.
Mediapart reports that even if the company is still awaiting its official authorization request, she was able to perform this role of intermediary between several hundred pharmacies and the government platform without being worried. To upload data to SI-DEP, Francetest asks pharmacies to enter their e-CPS identifier (an authentication device reserved for healthcare professionals). That is, he performs the transfer under the guise of the pharmacy.
Francetest told investigative media that it resolved security issues between August 27 and August 30 and contacted cybersecurity professionals to ensure the incident was closed. At this time, there is no evidence that the data could have been recovered by other people.
How to assess the dangerousness of the leak?
To assess the dangerousness of a data breach, three criteria are taken into account:
- How many people had access to the leak?
The leak could have zero impact on patients in the event that no one other than the Mediapart source discovered the bug. In his research, the person notably retrieved the identifiers from the company’s database. In theory, investigators will be able to analyze the logs [un historique technique, ndlr] the server hosting the database, looking for suspicious connections. But it is still necessary that a log recording system has been put in place.
- How good is the data?
More than volume, it is the quality of the data that gives value to a leak. And precisely, the escape of Francetest presents many advantages for possible thugs. First, it contains a large amount of different data on the same person. The criminals will thus be able to create more convincing phishing messages: victims tend to be less suspicious when their interlocutor presents them with information about them. For example, it would be easy to create a fake antigen test results message, except that instead of downloading the certificate, the victim would download malware.
Then among the affected data is the social security number. It is used in particular to connect (coupled with a password) to France Connect, the government portal for accessing many government services. Among these services is the training account, regularly targeted by crooks who want to embezzle the money saved there.
- How much data is in the leak?
The volume of data proportionally increases the value of a data leak, when the quality is there. In our case, the 700,000 forms represent a number large enough to be noticed in black markets, if indeed a reseller has recovered the database before the flaws are fixed.
- Should we be more worried?
There is another dimension to this case, which is more global: it is, on paper, worrying to say that a small French company could have handled such sensitive data, and that the process and its security are not better supervised. If the Médiapart article underlines that the General Directorate of Health (DGS) has issued a firm reminder to pharmacies to deal only with approved companies, there is no sanction in law against those that are not approved.
How do I know if I am part of the leak?
The General Data Protection Regulation, better known by its acronym RGPD, obliges data controllers like Francetest to certain obligations. First, the company must notify the incident to the National Commission for Informatics and Freedoms (Cnil) within 72 hours of becoming aware of the leak. The latter can communicate on it if she thinks necessary.
Then, if the leak represents ” high risk For those affected, the company must also notify each of them individually. In this context, you would be contacted if necessary.