Skip to content
Data breachContained

Leak at Assurance retraite

On 13 September 2024, France's Assurance retraite (Cnav) disclosed a breach of its PPAS social-action partner portal, exposing data on about 370,000 pension beneficiaries including names, addresses, social security numbers and approximate income.

Victim
Assurance retraite (French pension fund)
records
370.0K

On 13 September 2024, Assurance retraite β€” the French national pension fund managed by the Caisse nationale d'assurance vieillesse (Cnav) β€” disclosed a data breach affecting roughly 370,000 retirement beneficiaries.

The attack targeted the Portail Partenaires de l'Action Sociale (PPAS), an online platform used to manage billing for the service providers who deliver social-action services to retirees. Attackers gained access not through a software vulnerability but by taking over legitimate service-provider accounts on the portal, then using that access to extract beneficiary records.

The exposed data included:

  • Names and surnames
  • Postal addresses
  • Social security numbers
  • Approximate income / resource amounts

Cnav stressed that bank details and information about payments, careers and benefits paid were not affected. On detecting the breach, Cnav immediately suspended the PPAS portal to stop further exploitation, launched a technical investigation into the source of the attack, filed a complaint, and reported the incident to France's data-protection regulator, the CNIL.

Sources

  1. lemonde.frhttps://www.lemonde.fr/pixels/article/2024/09/13/l-assurance-retraite-s-est-fait-voler-des-donnees-de-370-000-personnes_6316212_4408996.html
  2. europe1.frhttps://www.europe1.fr/technologies/lassurance-retraite-sest-fait-voler-des-donnees-de-370000-personnes-4267291
  3. santecool.nethttps://santecool.net/cyberattaque-fuite-donnees-caisse-retraite-370000-beneficiaires/

Related incidents