BUG CAF. From Sunday October 10 to Monday October 11, the information of several thousand beneficiary accounts of the Family Allowance Fund could be viewed and modified by third parties, down to the smallest detail.
This is the story of a service improvement that turns into an IT fiasco, resulting in de facto a “data integrity violation” personal benefits of several thousand beneficiaries of the CAF (Family Allowance Fund), as explained to AFP, Vincent Mazauric, Director General of CNAF. What exactly happened between Sunday, October 10, 2021 at 9 p.m. and Monday, October 11 at 9 a.m.? A few days ago, CAF announced to its users that it would proceed in October with the implementation of a brand new authentication system. “During October, you will use your social security number to connect to the various services of your CAF. On this occasion, you will have to create a new password made up of numbers and letters. For more security, you will have to validate your contact details contact by email or SMS. If you do not have a social security number, you will be assigned a temporary identifier “, specified the institution. But nothing went as planned.
By changing their passwords, some beneficiaries were able to access, within a few hours (an eternity in computer time) not their account … but accounts that did not belong to them, with each time the possibility, no only to consult, but also to modify the personal data of the accounts concerned. “In order to prevent any possible malicious act, all the procedures carried out during these few hours on these accounts have been canceled”, says CAF in a communicated published Monday, October 11. In all, this dysfunction would have affected some 7,000 cases. This computer bug made it possible to enter the privacy of people, because beyond the names and phone numbers, it was possible to access, according to several testimonials posted by Internet users (especially on the websites TotalBug.com, 552 reports, and DownDetector) information as sensitive as the aid received, and the bank details of beneficiaries.
Initially, CAF assured that this “computer error” – because unlike the recent hack of a file sharing service at AP-HP, it would not be a computer attack – only contact data was exposed to third parties. A version massively denied by Internet users. “Each time I connected, it connected me to a different account, at first I came across the account of a certain Mohammed, then a Véronique, an Audrey… I tried to connect 19 times in vain”, confides an internet user. On the home page of his site, CAF explains that “anomalies in connection to the My Account Area have been observed” (…) and that in order to “completely secure the situation, the My Account Area and the mobile application are currently closed.” Before concluding: “CAF offers its strongest apologies and will get back to the beneficiaries affected by this incident. You do not need to contact your CAF.”
The case should not stop there since theANSSI (National Information Systems Security Agency) was called upon to shed light on this incident. The CNIL (National Commission for Informatics and Liberties) has also been notified, in accordance with the law. To prevent this technical incident, which is already critical for some beneficiaries, from further degenerating, the CNIL “invites people to pay particular attention to changes in data on their account” and underline “that it is important that people who encounter this problem report the information to the data controller, in this case the CAF, and do not take a copy and even less publish it on social networks or elsewhere”.