The CNIL has noted several breaches of personal data concerning organizations known to the general public in recent weeks, such as the one that recently affected the company FREE. Identity theft, theft of the IBAN … what are the risks? What can you do?
What is a data breach?
Personal data breaches include leaks, thefts or losses of data, whether accidental or malicious. In some cases, this data can be resold on the Internet or even cross-referenced with data from other data breaches.
How do you know if you are a victim?
When these breaches are likely to cause a high risk for individuals, organizations must in principle inform the individuals concerned directly, including the measures taken to remedy or mitigate the consequences of the breach.
If you have received such a message, vigilance is required in the coming days, but also and especially in the longer term, by adopting essential reflexes.
The CNIL is not able to inform you or confirm the presence of your data among those that have been the subject of a breach. However, you can question the responsible organization on this point.
Please note: some websites indicate that they hold the data and can tell you whether or not you are affected. The CNIL advises against using them.
What are the risks and what can you do to protect yourself?
The risks will often depend on the nature of the information stolen.
Fraudulent use of IBAN (bank details)
The IBAN is a bank identifier that you used to pay for a subscription or service.
This identifier can in some cases allow a hacker to issue illegitimate direct debit orders that target fraudulently obtained IBANs. The hacker can also, more directly, usurp another person’s IBAN by communicating them when creating a direct debit mandate as part of a subscription to a service.
In order to reduce the risks of fraudulent use of your IBAN and minimize its consequences:
- Regularly monitor transactions on your bank account and block them if necessary. Contact your usual bank advisor if in doubt;
- Check the list of authorized creditors (i.e. the beneficiaries of the direct debits) in your online banking space;
- When receiving a pre-filled direct debit mandate, or a supposed update of it, be vigilant about the information describing the creditor in order to avoid misappropriation of your payments.
Identity theft
If you think you are the victim of identity theft following the disclosure of information about you, you can:
- visit the website cybermalveillance.gouv.fr to obtain advice on how to protect yourself from identity theft;
- file a complaint as soon as possible with a police station or gendarmerie;
- inform your bank(s).
If the usurpation is confirmed, particularly if banks send you letters concerning transactions that are unknown to you, you can:
- check whether you are registered with the Banque de France, particularly in the file of incidents of repayment of credits to individuals;
- check whether accounts have been opened in your name without your knowledge by sending the CNIL a request to consult the file of bank accounts (FICOBA).
The special case of SIM card fraud (SIM swapping)
This type of scam is based on identity theft and manipulation of the mobile phone operator. Using previously stolen personal data, the hacker impersonates your operator and uses the pretext of losing or stealing your SIM card in order to obtain a new one.
If the hacker succeeds, he will then be able to receive your text messages, calls and, above all, the one-time passwords (OTPs) used to validate certain sensitive operations (for example: authentication to services, validation of bank transfers). With these elements, the hacker will be able to connect to your various digital environments and initiate online operations by impersonating your identity.
In order to limit the risks associated with such attempts:
- be aware of a possible loss of access to your operator’s mobile network from your phone and contact your operator quickly if this occurs without any apparent explanation;
- continue to apply computer hygiene rules (such as updating applications, not downloading fraudulent software or attachments to emails from unknown senders, or not accessing websites that do not inspire trust).
Phishing
By SMS or email
Phishing consists of sending you a fraudulent email or SMS that will appear realistic to you because it uses data recovered through the leak (for example, a so-called email from social security, your bank or parcel delivery services, for example).
Do not open attachments, do not reply to them, do not click on connection links and delete the message immediately.
Generally speaking, enter the address of the official website of the service, from your browser, to connect to your account.
By phone
Some fraudsters can pretend to be your bank advisor, gaining your trust by knowing your personal data including your IBAN, so that you carry out or confirm an urgent action, such as a payment.
If you receive a suspicious phone call, check the name of your advisor and call them at the number indicated on your bank statements because it may be a form of scam.
How to protect yourself on a daily basis?
Generally speaking, you can strengthen your digital security to limit the consequences of a data leak:
- change your passwords for the web services you use:
- by using strong passwords and following the CNIL’s advice for a good password;
- by prioritizing the most important services (email, taxes, banks, e-commerce sites, etc.);
- avoid using the same password for different services and keep them in a password manager;
- use multi-factor authentication when offered by trusted services (for example, using a dedicated mobile application to validate a connection or transaction).
Vigilance is required in the days following a breach, but also and especially in the longer term, by adopting essential reflexes.
Best practice: sharing information means protecting others
If you think that a data leak may concern someone close to you (family, friends, colleagues), do not hesitate to:
- ask them if they have received the mandatory information message from the responsible body;
- pass on the watch points from the CNIL or other official authorities;
- tell them the right reflexes to have immediately and on a daily basis (for example: change passwords, use multi-factor authentication when offered).
Be vigilant with regard to vulnerable people, in particular:
- those who do not have daily or easy access to the Internet;
- the elderly;
- or those at personal risk due to data leakage (for example in the event of disclosure of sexual orientation, political or religious opinion, state of health, etc.).
How to file a complaint?
You can file a complaint in two ways:
- To the CNIL if you believe that your personal data has not been sufficiently secured.
- To the police or gendarmerie if you are the victim of identity theft, a scam or fraudulent payments.
Cyberattack on the telephone operator FREE
An investigation is underway into this cyberattack, it has been entrusted to the cybercrime brigade (BL2C) of the Paris Police Prefecture.
Obligations of organizations that have suffered a data breach
When leaks, thefts or losses of data are likely to create a risk for the persons concerned, the responsible organizations must notify the CNIL of the breach by providing it with information on the nature of the breach, its consequences and the measures taken to remedy it.
The CNIL is then able to support organizations by advising them, when necessary, on the best way to react and improve their cybersecurity posture.
The CNIL may also be required to collaborate with other institutional actors also responsible for ensuring the cybersecurity of the digital space, such as ANSSI, the cyber section of the Paris prosecutor’s office (J3) or cybermalveillance.gouv.fr.
In the longer term, detailed knowledge of the operating methods giving rise to violations allows the CNIL to create publications helping to prevent or remedy them, intended for organizations and the general public, as close as possible to the real state of the threat. It also allows the CNIL to share its experience with other authorities responsible for preventing cyber risk and to benefit from theirs.
GDPR, CNIL and cybersecurity
The legislation on the protection of personal data – the General Data Protection Regulation (GDPR) – requires all organizations (companies, administrations, associations) to ensure the security of personal data.
The CNIL has four main roles in cybersecurity: it advises organizations upstream on best practices (e.g.: personal data security guide), it monitors downstream compliance with their obligations, it receives and processes breach notifications and finally it raises awareness among individuals about the risks.
Some figures for 2023:
- 4,668 breach notifications (more than half of the data breaches notified to the CNIL originate from hacking);
- 117 checks (out of 337 carried out) with a cybersecurity issue as a focus;
- 14 sanctions (out of 42 in total) issued with at least one breach relating to data security;
- 74 formal notices with at least one breach relating to data security.