[BreachExchange] French government visa website hit by cyber-attack that exposed applicants’ personal data

[Sophia Kingsbury]

https://portswigger.net/daily-swig/french-government-visa-website-hit-by-cyber-attack-that-exposed-applicants-personal-data

The personal data of visa applicants hoping to visit or emigrate to France
has been exposed in a cyber-attack targeting the French government’s
‘France-Visas’ website.

France’s Ministry of Foreign Affairs and Ministry of the Interior, which
jointly manage the site, said the attack took place on August 10 and was
“quickly neutralized”, according to a Google translation of a
French-language government press release published on Friday (September 3).

The compromised data comprises details entered during visa applications,
including email addresses, first and last names, dates of birth,
nationalities, and passport numbers or identity card numbers.

No financial or ‘sensitive’ data (as defined by the GDPR) was compromised,
said the government ministries.

The press release did not disclose how many individuals are impacted or a
range of dates within which visa applications were compromised.

The statement intimates that the stolen data would not be sufficient for
the attackers to access government services under the guise of victims.

David Sygula, senior cybersecurity analyst at Paris-headquartered infosec
firm CybelAngel, told The Daily Swig: “Such data is highly valuable like
any PII for malicious purposes. Depending on the country and the freshness
of data, one record can typically be sold for around 10, to several dozen
euros on illicit sites (Dark Web).

“The data in question can be used for impersonation to carry out several
types of fraud, such as opening a bank account or other malicious
activities related to immigration (think human trafficking).”

Incident response

The French government ministries said they immediately implemented measures
to secure france-visas.gouv.fr and prevent further attacks.

Affected individuals have been notified of the data breach and been given
recommendations for protecting their personal data and online identities,
said the statement.

The French data protection regulator – the Commission nationale de
l'informatique et des libertés (CNIL) – has been notified and a judicial
investigation is underway, reads the press release.

David Sygula of CybelAngel said: “The mere successes of the attack –
although contained – is a way of attacking France as a country and
institution. It may ‘give faith’ to other groups and harm France’s overall
reputation regarding cyber exposure.”

The number of visas issued by the French government fell by nearly 80%
between 2019, when 3.5 million visas were granted, and 2020, as the
Covid-19 pandemic decimated international travel, SchengenVisaInfo.com has
previously reported.

The Daily Swig has asked the French government for further details, and we
will update this story if and when they do so.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210907/b2bb4938/attachment.html>