Leak at Assurance retraite
On 13 September 2024, France's Assurance retraite (Cnav) disclosed a breach of its PPAS social-action partner portal, exposing data on about 370,000 pension beneficiaries including names, addresses, social security numbers and approximate income.
- Victim
- Assurance retraite (French pension fund)
- records
- 370.0K
On 13 September 2024, Assurance retraite β the French national pension fund managed by the Caisse nationale d'assurance vieillesse (Cnav) β disclosed a data breach affecting roughly 370,000 retirement beneficiaries.
The attack targeted the Portail Partenaires de l'Action Sociale (PPAS), an online platform used to manage billing for the service providers who deliver social-action services to retirees. Attackers gained access not through a software vulnerability but by taking over legitimate service-provider accounts on the portal, then using that access to extract beneficiary records.
The exposed data included:
- Names and surnames
- Postal addresses
- Social security numbers
- Approximate income / resource amounts
Cnav stressed that bank details and information about payments, careers and benefits paid were not affected. On detecting the breach, Cnav immediately suspended the PPAS portal to stop further exploitation, launched a technical investigation into the source of the attack, filed a complaint, and reported the incident to France's data-protection regulator, the CNIL.
Sources
- lemonde.frhttps://www.lemonde.fr/pixels/article/2024/09/13/l-assurance-retraite-s-est-fait-voler-des-donnees-de-370-000-personnes_6316212_4408996.html
- europe1.frhttps://www.europe1.fr/technologies/lassurance-retraite-sest-fait-voler-des-donnees-de-370000-personnes-4267291
- santecool.nethttps://santecool.net/cyberattaque-fuite-donnees-caisse-retraite-370000-beneficiaires/