France Confirms Data Breach At Government Agency That Manages Citizens' IDs (techcrunch.com) 18
An anonymous reader quotes a report from TechCrunch: The French government agency that handles the issuing and management of citizens' identity documents, including national IDs, passports, and immigration documents, confirmed Wednesday that it experienced a data breach. In an announcement, the Agence Nationale des Titres Securises (ANTS) said the data stolen in the breach could include full names, dates and places of birth, mailing and email addresses, and phone numbers on an undisclosed number of citizens. ANTS said the investigation to determine how the breach happened and its impact is ongoing, and people whose data was affected are being notified.
ANTS, which said it detected the attack on April 15, did not specify how many people were affected by the breach. But some reporting suggests millions may have had some of their personal information stolen. According to Bleeping Computer, a hacker has advertised the stolen data on a hacking forum, claiming to have a database with 19 million records. The hacker's forum post referenced the same kind of stolen information as mentioned in ANTS' announcement and was published before ANTS publicly disclosed the breach on April 20.
ANTS, which said it detected the attack on April 15, did not specify how many people were affected by the breach. But some reporting suggests millions may have had some of their personal information stolen. According to Bleeping Computer, a hacker has advertised the stolen data on a hacking forum, claiming to have a database with 19 million records. The hacker's forum post referenced the same kind of stolen information as mentioned in ANTS' announcement and was published before ANTS publicly disclosed the breach on April 20.
Re: (Score:2)
I've got ANTS in my pants!
...from France.
Re: (Score:3)
J'ai des FOURMIS dans le pantalon!
Corrigé pour vous.
Well, what a surprise .. (Score:5, Insightful)
who would have ever thought that such a thing would happen ?
Put valuable data somewhere and of course the crooks will try to steal it, and they did. This is the sort of information needed to blag their way into bank & corporate accounts, reset email passwords, access tax records and no end of similar things. This will cause mayhem for the 19 million French men & women.
May this be a warning to those planning similar systems in other countries: either do not do it (fat chance of that) or invest in proper security that is frequently pen-tested.
Re: (Score:3)
Re: (Score:2)
Which, duh, it shouldn't be centralized, and no information needs to be stored once authentication has been made the first time. Just a passkey.
My sense is that organizations do things in this manner because it is convenient and they are not liable for the costs.
Re:Well, what a surprise .. (Score:4, Informative)
Where do passkeys come into this? It's the organisation that prints ID cards and passports, not an organisation where people open an account into which they will later want to log in.
Re: (Score:2)
Euphemism as ID is essentially a passkey for access, and a further passkey to verify the ID. Not much different than the Swiss bank accounts of yore.
Re: (Score:2)
That's why if the system stores EVERYTHING then it should be air gapped, with data batches manually carried from network to network. This can delay responses so some subset of the data will have to be stored elsewhere, but you don't have to put it all in one place. Given how many things already happen during overnight batches this would cause a LOT less inconvenience than most people think.
Re:Well, what a surprise .. (Score:4, Insightful)
It's unreasonable to expect that the government agency responsible for passports, identity cards, and visas to not hold valuable data on people. Likewise it's pretty uncontroversial to believe that the data should be secured.
What's always controversial is how many resources or tax dollars to throw at securing the data or how responsible to hold the politicians and leaders who didn't fund securing the data in the first place.
Re: (Score:2)
May this be a warning to those planning similar systems in other countries
Is it though? I mean it's not the first time. Or the second. Or the third. Or .... well I mean I can give you a list from a quick search:
UK system breached end of 2025
Australia in 2022
Estonia in 2021
Argentina in 2021
India in 2018
South Korea in 2014
If there's a lesson to learn, then no one is learning it.
They can take a page off our playbook (Score:2)
Each ID will indicate "Not for real ID purposes" but instead Non destiné aux fins d'identification officielle (Real ID) so even the crooks won't go very far
They run the agentcy (Score:2)
Re: (Score:1)
Operating System Age Verification (Score:4, Informative)
And it is for reasons like this we donâ(TM)t want age verification as a core requirement for operating systems.
Now everyone and no one are French citizens! (Score:2)
ID data stolen (Score:2)
That is why we urgently need porn verification, so we get the names and numbers.