France Confirms Data Breach At Government Agency That Manages Citizens' IDs

An anonymous reader quotes a report from TechCrunch: The French government agency that handles the issuing and management of citizens' identity documents, including national IDs, passports, and immigration documents, confirmed Wednesday that it experienced a data breach. In an announcement, the Agence Nationale des Titres Securises (ANTS) said the data stolen in the breach could include full names, dates and places of birth, mailing and email addresses, and phone numbers on an undisclosed number of citizens. ANTS said the investigation to determine how the breach happened and its impact is ongoing, and people whose data was affected are being notified.

ANTS, which said it detected the attack on April 15, did not specify how many people were affected by the breach. But some reporting suggests millions may have had some of their personal information stolen. According to Bleeping Computer, a hacker has advertised the stolen data on a hacking forum, claiming to have a database with 19 million records. The hacker's forum post referenced the same kind of stolen information as mentioned in ANTS' announcement and was published before ANTS publicly disclosed the breach on April 20.

Re:

[Powercntrl]

I've got ANTS in my pants!

...from France.

Re:

[ClickOnThis]

J'ai des FOURMIS dans le pantalon!

Corrigé pour vous.

Well, what a surprise ..

[Alain Williams]

who would have ever thought that such a thing would happen ?

Put valuable data somewhere and of course the crooks will try to steal it, and they did. This is the sort of information needed to blag their way into bank & corporate accounts, reset email passwords, access tax records and no end of similar things. This will cause mayhem for the 19 million French men & women.

May this be a warning to those planning similar systems in other countries: either do not do it (fat chance of that) or invest in proper security that is frequently pen-tested.

Re:

[alvinrod]

A centralized system is always a single point of failure and keeping thieves out requires a perfect response to every attempted theft whereas a successful break-in requires slipping through security just once. Given enough time any system designed this way will be compromised. Anything not engineered with this is mind is doomed to fail.

Re:

[quintessencesluglord]

Which, duh, it shouldn't be centralized, and no information needs to be stored once authentication has been made the first time. Just a passkey.

My sense is that organizations do things in this manner because it is convenient and they are not liable for the costs.

Re:

[Himmy32]

It's unreasonable to expect that the government agency responsible for passports, identity cards, and visas to not hold valuable data on people. Likewise it's pretty uncontroversial to believe that the data should be secured.

What's always controversial is how many resources or tax dollars to throw at securing the data or how responsible to hold the politicians and leaders who didn't fund securing the data in the first place.

They can take a page off our playbook

[Provocateur]

Each ID will indicate "Not for real ID purposes" but instead Non destiné aux fins d'identification officielle (Real ID) so even the crooks won't go very far

They run the agentcy

[anoncoward69]

Can't they just invalidate all the current IDs and reissue new ones? Not going to be cheap, but hey thats what you get for half assing your security

Re:

[manu0601]

Do you suggest the compromise allows forged ID cards? I am not sure they said so.

Operating System Age Verification

[Midnight Thunder]

And it is for reasons like this we donâ(TM)t want age verification as a core requirement for operating systems.

Now everyone and no one are French citizens!

[oldgraybeard]

"Government Agency That Manages Citizens' IDs " want something public give the data to the government!