Company | Bug on the Caf site: “I came across someone else’s data 19 times”

Easier and more secure access, during the month of October logging into the My Account area“This is what the Family Allowance Fund announced on its twitter account on October 8. However, this weekend benefit recipients wishing to connect to their account had the unpleasant surprise of not having access to their own account, but rather to that of another beneficiary. This is the case of Jérôme Misztal, this Toulouse resident, quite recovered, tried to use the new France Connect connection system, common to many administrations and public services, and which Caf had just set up. Thus to access the “My account” area, all you had to do was put your social security number in place of your beneficiary number and enter your old password and then create a new one.

At each connection, it connected me to a different account, at the beginning I came across the account of a certain Mohammed, then of a Véronique, an Audrey … I tried to connect 19 times in vain , I had access to their personal data: address, bank details, amount of their allowance, family situation …“, Jérôme Misztal confides. Stunned and in the misunderstanding, the latter contacted the Ministry of the Interior:”They told me there was nothing they could do, so I went to Magendarmerie.fr. I reported to the gendarmes, they told me they would contact someone at the Caf. A few hours later the site was put into maintenance“.

Not wishing to stop there, the beneficiary is preparing to contact the Cnil (National Commission for Informatics and Freedoms). “I intend to file a complaint. It is unacceptable for a government site to have such a large breach.“For the time being Jérôme has used his Twitter account to express his anger on the social network and warn the beneficiaries, just like many Internet users in the same case.

Contacted by us in the morning, the Caf hoped to reopen the “My account” space in the morning, but the problem is still not resolved, the site is therefore still under maintenance: “The work is not yet finished, it takes time“. Regarding access to personal data, the organization told AFP in the early afternoon that 7,000 files were concerned. This”data integrity violation“is”not due to a computer attack“and this does not signal a”computer system vulnerability“, specified to AFP Vincent Mazauric, the general director of the Cnaf. The public establishment specified that it would warn the Cnil as well as each beneficiary concerned individually. For its part, the Cnil received from”many calls since this morning“and indicates that if a data breach were found, an investigation should be opened.

Leave a Comment