The CNIL carried out strict regulatory measures on French businesses and organizations in 2021, sending 135 formal notices that resulted in €214 million in fines and 18 sanctions. Nine sanctions were for inefficient data security.
The report indicated that the most common targets of cyber attacks were small and medium-sized companies. More than half of the data breach notifications from the report were ransomware, which is a staggering 128% increase since 2020.
List of Biggest Data Breaches in France
Here is a list of the biggest data breaches to occur in France:
1. Dedalus Biologie
Date: February 23, 2021
Impact: 491,840 medical records
According to an investigation done by Libération, a massive data breach occurred in February 2021, including approximately 500,000 medical records of French patients of unknown origin, including names, medical history, and social security numbers that were leaked on the internet.
The cybersecurity blog Zataz on Telegram first discovered the data leak in which users discovered a clandestine group that trades stolen data on Telegram.
Libération reports that the stolen data contains medical records and COVID-19 tests from 30 healthcare laboratories in northwest France. The leaked data included information about examinations conducted between 2015 and October 2020.
According to AFP (Agence France-Presse), the leaked medical records included:
- Patient names
- Telephone numbers
- Email accounts
- Health insurance providers
- Social security numbers
- Blood types
- HIV status
- Fertility status
Paris prosecutors in charge of cybercrime reported to the AFP that an investigation is underway to determine if there has been a “fraudulent access to, and maintenance of an automated data processing system" and "fraudulent extraction, holding and sharing" of the data.
Initially, they failed to learn how the hackers stole the data from the healthcare clinics and laboratories. However, one thing in common that the laboratories had was that they used software from Dedalus, a healthcare provider.
Dedalus was fined €1.5 million for violating the GDPR (General Data Protection Regulation) for failing to protect EU citizens’ personal data. According to the journalist that found the leaked data, the hackers made the data public after they failed to find a buyer.
2. French Insurer AXA
Date: May 16, 2021
Impact: 3 TB of sensitive data and medical records exposed; possible unregistered DDoS attacks.
The attack targeted sectors in Hong Kong, Thailand, Malaysia, and the Philippines and occurred after AXA canceled the Asian branches’ coverages against cyber attacks.
The alleged hacker group that’s responsible for the attack is Avaddon, and the group claims that they have also executed a DDoS attack on the subsidiaries.
AXA hasn’t confirmed the amount of the demanded ransom price nor whether they eventually paid it.
3. Pierre Rouquès – Les Bluets Maternity Hospital
Date: October 9, 2022
Impact: 150 GB of personal data and medical records
The Parisian maternity hospital “Pierre Rouquès – Les Bluets” reported a cyber attack on October 9, 2022, stating that their email system was down on their website. The Les Bluets hospital warned patients about potential phishing attacks and advised any patients that used their services to change their emails.
The ransomware hacker group Vice Society took credit for the cyber attack. The group used ransomware that encrypts data and demanded payment to restore their networks within one day. However, while the hacker group stated that all system sectors were fully encrypted, the hospital staff had access to most medical records.
The hospital also gave an update on the situation nine days later, stating that the hackers stole more than 150 GB of files containing patients' personal data and health records from the hospital’s systems.
According to Zataz, the hackers disclosed the stolen documents and files on the dark web after the hospital declined to pay the ransom. The data included patient names, addresses, accounts, and Outlook account backups of staff members.
Vice Society is known for targeting schools and healthcare establishments and is infamous for completely disrupting services in the Arles Hospital clinic and the Ajaccio clinic in 2022. They commonly employ a double extortion technique — a ransomware method that encrypts the target’s systems and threatens to upload the stolen data on the dark web.
Date: November 11, 2022
Impact: 9.5 GB of archive files leaked.
The company refuted that their systems were hacked but confirmed that data had been stolen from a user account of collaborative partners from Italy and Malaysia that involved a data leak of 9.5 GB archive files.
The company believes that the data leak included Thales’ data, which has technical documents, possible corporate data, commercial documents, customer data, financial data, and experimental software that’s allegedly priceless.
The LockBit 3.0 ransomware gang, a relatively new hacker group operating since July 2022, is responsible for said data leak and is known for being a RaaS (Ransom as a Service) provider. The company has already opened an internal investigation and has informed France’s ANSSI national cyber security agency.
Thales reassures that the leaked data does not contain critical government data of national security programs and military projects. However, French local sources state that further data and info are yet to be discovered online.
According to Reuters, Thales’ shares plummeted 8.5% after the attack, but Thales stated that the share price decrease wasn’t linked to the attack.
Date: October 2022
Impact: Unknown amount of customer data theft.
The famous French-based online retailer for wine, iDealwine, suffered a data breach in October 2022 and hasn’t revealed the total number of customer data impacted.
Their shop was rendered offline for weeks, and the company took measures to deal with the cyber attack by contacting experts and data privacy regulators from France and UK.
The data types impacted included customer names, addresses, telephone numbers, and email accounts. However, the company assures that credit card data and bank information are not compromised because they do not store such data.
Date: August 23, 2022
Impact: All hospital medical records published
A cyber attack on a French hospital in Corbeil-Essonnes near Paris left nurses having to file data from scratch manually. The cyber attack crippled the hospital’s IT system, data storage, imaging storage, patient admission systems, and financial software.
The hackers demanded a €10 million ransom to unlock the system, and they threatened to release patient medical records if requirements weren’t met. The hospital’s director, Gilles Calmes, refused to pay the ransomware hackers.
The hospital staff resorted to transitioning back to analog procedures like burning medical records on DVDs. They were left to work with limited resources and forced to redirect all non-critical services elsewhere in Paris. This analog downgrade cost the hospital €2 million.
Moreover, the staff was prohibited from connecting their personal devices on company premises as all their systems may have been infected.
The French elite tactical force, GIGN, negotiated with the Russian hackers. Their team for counter-terrorism and hostage situations communicated with the hackers via the Protonmail service, a communication channel chosen by the attackers.
The team managed to lower the ransom from €10 million down to a million to stall for time. The hospital refused to pay the ransom again, and the data was published online.
Allegedly, the attack was orchestrated by the Russia-based Lockbit group known for scams and other cyber attacks against US private clinics and healthcare services. The Center did the investigative reports for Combating Digital Crime (C3N) division.
Health Minister François Braun donated €20 million to improve the hospital’s data security, which implies that they’ve likely reverted to standard procedures with systems back online.
Date: May 2018 (reported September 2018)
Impact: Approximately 10,930,000 data records (nine billion data points and 125 million email addresses)
Almost 11 million data records from French users were allegedly put up for sale on the dark web after a data breach in the San Francisco-based digital marketing firm Apollo. Apollo did not comment on the data breach.
Around September 2018, a user stated that they infiltrated Apollo’s database and stole 11 million records of French users from Apollo to put up on sale online. The hacker didn’t disclose how the attack was conducted and what other data records were in their possession.
The exposed data included a staggering number of data records, like 125 million email addresses and nine billion data points. This attack also exposed Apollo’s users and employers to additional phishing and other cybersecurity attacks.
The data records include the following:
- Email addresses
- Location coordinates
- Social media profiles
- Phone numbers
- Workplace information
According to Apollo staff, their firm conducts security audits regularly and has the proper cybersecurity stature with intrusion detection software in place.
French users can submit a request to have their data removed via Apollo’s website if they doubt their data is compromised.
8. Assistance Publique-Hôpitaux de Paris (AP-HP)
Date: Mid-2020 (confirmed September 12)
Impact: Medical records and data of 1.4 million COVID-19 patients leaked
The CNIL, France’s data protection authority, released a statement on September 21, 2021, after being informed of the Assistance Publique-Hôpitaux de Paris (AP-HP) data breach, which included personal data and medical records of 1.4 million patients that were tested for COVID-19 in 2020 in Paris.
The CNIL urged all affected not to access their breached files, as they may pose further risks or malware.
The personal data categories from the data leak included:
- COVID-19 test results
- Nature of the COVID-19 tests
- First and last name
- Date of birth
- Social security number
- Home addresses
- Email address
- Phone numbers
- Names of healthcare professionals involved in the tests
The cyber attack exploited the Parisian hospital’s COVID-19 contact-tracing system, the SI-DEP, which already had security issues.
This hack is one of many that have affected French public hospital systems and healthcare institutions since the pandemic.
Earlier in September 2021, COVID-19 test results and the PII of 700,000 people were leaked because of a data breach from a faulty interface platform for the SI-DEP system that pharmacists used.