Largest Recorded Data Breach in France Compromises Half the Country’s Population; Zero Trust Is Key to Minimizing Risk

On February 1, payment service providers Viamedis and Almerys announced they had suffered a data breach, with threat actors copying Personally Identifiable Information (PII), including full names, marital status, date of birth, social security numbers, and insurance providers and policy numbers of millions of individuals. The companies act as payment platforms for medical insurance providers, paying patient medical fees upfront on behalf of insurers. This breach affects half of the French population, an estimated 33 million people, and is the largest recorded cyberattack in France to date. The French data protection watchdog, Commission nationale de l'informatique et des libertés (CNIL), has opened an investigation into the two companies to determine the extent of their liability.

The hack was perpetrated using phishing techniques, with the threat actors managing to obtain the credentials of healthcare professionals, giving them access to Viamedis and Almerys’ internal platforms where medical payments and reimbursements are managed. Phishing is one of the oldest tricks in the book, focusing on the weakest common denominator in the cyber environment: people. This is not to say that the back end work of the threat actors was minimal; quite the opposite. It would have required a significant effort to find the right target company in a supply chain, and then overcome the many protection mechanisms in place that secure the platform and its many users. Third-party providers are an increasingly common target for cyberattacks, as they offer one point of entry for multiple victim organizations. Even better are targets in sectors where there is a concentration of PII (e.g., healthcare and payments). Targeting companies like Viamedis and Almerys hits two birds with one stone from this perspective, offering not just the highest value PII, but also a single point of entry into a host of insurance providers. Case in point is the attack that compromised an estimated 150 French insurance providers, covering half of the French population.

The tragedy is that this type of attack is entirely preventable. Phishing allows an entry point into a platform, but in order for threat actors to obtain such levels of volume and sensitive data type, they would have needed to seek privilege escalation. This was likely enabled by poor access control mechanisms to the databases, and inadequate encryption technologies used on the data itself (or shoddy securing of encryption keys). The loss of such data will have long-term repercussions for the victims, who will now be subject to highly targeted attacks, identity theft, and other types of fraud. There is little doubt that the service providers are at fault; the CNIL will determine the extent of their liability in due course, but the fallout will be rough not just for the individuals and the sector, but for the French state as well.

Supply chain attacks have become increasingly popular with threat actors, enabling an exponential Return on Investment (ROI). It certainly hurts more when that attack vector is a preventable run-of-the-mill phishing email, rather than a complex hard-to-detect Zero Day exploit. Regardless, organizations in all sectors need to start accepting that failure to defend against cyberattacks is something that is very likely to happen. Adopting a Zero Day approach, whereby no asset is ever trusted, whether internal or external, is the only viable way forward. Anything less opens the door to opportunistic threat actors and is a recipe for disaster.

There is little doubt that cyberattacks on this scale will continue to drive forward the Zero Trust market, from identity and access control to mutual authentication, network segmentation, and device management. There is too much at stake to rely on anything less than a comprehensive approach. Cybersecurity providers offering a Zero Trust model will be increasingly sought after as organizations learn that they cannot afford to even implicitly trust their most trustworthy asset. It’s an all or nothing situation, and the solutions are already available in the market. Organizations must start implementing Zero Trust, or suffer the consequences.