Contacted just before the holidays, Mrs L., a resident of the village of Églisottes-et-Chalaures in the Gironde, is “fall from the clouds”. Her date of birth, her husband’s, their address, the amount of benefits they receive from the Family Assistance Fund (CAF), and even their income were found online. “I was not aware, you teach me”, the 50-year-old tells us on the phone. The same for Madame F. from Saint-Sulpice-et-Cameyrac, Madame B. from Cabanac-et-Villagrains and a dozen other people we contacted. Loss and some anger too.
The origin of this “leak” revealed to you by the investigation cell of Radio France is the Gironde family aid fund. The organization (of private status, charged with a public service mission, like all CAFs) regularly trains its agents, especially its statisticians. To teach them R, a programming language for statistics, he called a service provider based in the Paris region. And as in all training, there are practical cases with exercises.
In this context, Café de Gironde communicated to its client a file containing precisely the personal data of 10,204 recipients. Surnames and first names have been removed as well as postal codes, but a lot of information remains: address (street number and name), date of birth, family composition and income, amounts and types of benefits received (RSA, APL, disability allowance adults, etc.), in total, no less than 181 data for beneficiaries were discovered. The file even mentions the birth dates of the children and the existence of joint custody. Deleting surnames and first names in no way hinders the identification of the recipients, because using the reverse directory on the Internet, we were able to find the identity of most of them.
At the time of training, in March 2021, the service provider places this file online on its website (see screenshots below). It is not reserved only for CAF agents, access to this data is possible for everyone. Just click on a file called caf.zip. “When CAF communicated this data to me, I thought it was fictitious”today protects the service provider whose anonymity we maintain. “We don’t need real data for training, just realistic data. The file was made available on my site as part of an online training and I was unable to check it afterwards.” As soon as we contacted him, this coach removed the file from his site. He will still be there… 18 months.
Beyond that “supervision”, it is the very transmission of this data by Caf to a third party that raises questions. “These are sensitive personal data. I don’t think Caf had the legal right to export this data, explains Bastien Le Querrec, lawyer at La Quadrature du Net. “We have a window into the intimate lives of more than 10,000 people with highly accurate information”laments Alexandre*, another member of the association. It is very problematic that Caf allows itself to send this data to a private service provider, he could have done this training with a bunch of fictitious data”., he continues. So what does the law say? According to Alexandra Iteanu, a data protection lawyer, “For a transfer of personal data to be lawful, it must be based on one of the six legal bases established by the GDPR. [Règlement général sur la protection des données, NDLR] : consent, contract, mission of public interest, protection of vital interests, legitimate interest and legal obligation. Therefore, CAF had no right to communicate this data without first informing the interested persons and obtaining their consent., concludes the lawyer. In this type of situation, sanctions can be of three types: administrative (imposed by Cnil), civil and even criminal. It must be said that the damage can be considerable for the recipients. “With so much data available online, the biggest risk is identity theftexplains Bastien Le Querrec. There may also be malicious targeting. For example, we get a message that says ‘take this step for your child’ and connect to a fraudulent platform. Asked about this case, the press service of the National Family Assistance Fund (CNAF) replied that “This data should never have been put online by the service provider” and that the latter had received the file as part of “of a very limited formation” with a staff “Subject to professional secrecy”. The document, we are told, has been used “strictly internal”. CAF de Gironde will inform the 10,204 beneficiaries concerned and has opened an internal investigation into “Understand how this situation could arise and put in place a stricter tracking system”.
* Assumed name
Issue an alert:
To send information to Radio France’s investigation unit anonymously and securely, you can now click here: alerter.radiofrance.fr