Top 10 Cybersecurity Breaches in France

French naval contractor Direction des Constructions Navales (DCNS) claimed in August 2016 that it may have been the victim of corporate espionage and tough competition after Australian media leaked details of six Scorpene submarines the company is building for the Indian Navy. The data leak ran into 22,000+ pages and detailed the vessels' combat capabilities. While the Indian authorities announced a probe into possible intellectual property theft, the media expose has set off alarm bells in Australia as well. DCNS's Indian deal is worth $3.5 billion. Australia has exclusively contracted the company, whose key stakeholders include Thales as well as the French state, to build Shortfin Barracuda submarines in a deal pegged at $38 billion! DCNS pipped rivals like Germany's ThyssenKrupp as well as Mitsubishi and Kawasaki, both backed by the Japanese government, to bag the Australian contract. However, the expose didn't include details of the vessels being designed for the Australian fleet.

Hours before polling opened in the runoff elections for the French presidency in early May 2017, the hashtag "#MacronLeaks" started to trend online. Emmanuel Macron, socialist-turned centrist, of En Marche! (Renaissance) party was widely expected to prevail in the runoff by a margin of 20-30% over far-right rival Marine Le Pen. At the heart of the controversy was a 9GB data cache containing emails, photos, accounting details, and contract documents allegedly belonging to the En Marche movement. The data pile was first posted to Pastebin, the online content hosting site, and the content was further amplified by far-right groups on 4chan image board before it appeared on WikiLeaks. Hackers had reportedly ripped off the data from the email accounts of En Marche staffers a few weeks earlier. En Marche claimed the leaks included many fake documents and dubbed it as an attempt to subvert the outcome of the election via disinformation.

In December 2022, the IT systems and telephone networks at Andre-Mignot Hospital in Versailles, about 17 kilometers from Paris, were thrown offline in what is believed to be a ransomware attack. In the wake of the hack, at least six patients had to be rushed to another facility for emergency care. Additional staff had to be called in to maintain critical functions at the intensive care unit. A co-chairperson of the hospital told the media that the attackers had demanded ransom money, though he didn't seem to be aware of the exact sum. The public hospital had no intentions to pay up since meeting ransomware demands is illegal for government-funded organizations in France. Moreover, paying ransom doesn't always guarantee data recovery. After all, cybercriminals might simply go back on their word.

In August 2022, critical medical systems at South Francilien Hospital Center (Centre Hospitalier Sud Francilien, CHSF) in Corbeil-Essonnes, about 30 kilometers south of Paris, were locked down in a ransomware attack. As a result, the hospital had to postpone surgeries and redirect patients to public hospitals in north and central France. The cybercriminals demanded $10 million in ransom in exchange for freeing up the encrypted systems. The attackers later lowered the ransom to $1 million, but the hospital rejected the demand. After the deadline for payment passed on September 23, 2022, the hackers offloaded part of the data trove to the dark web. The leaked data included patients' personally identifiable information (PII), including medical scans, lab analyses, and national security numbers, besides details of hospital staff.

In mid-March 2022, it was reported that online criminals had made off with the health data of more than half a million French citizens. The black hats had gained unauthorized access to the email accounts of 19 pharmacists at the French Health Insurance body (L'Assurance Maladie) using passwords sourced from the dark web. Having set foot in the health insurer's IT network, the hackers lost no time in stealing personal data, including names, surnames, birthdates, social security numbers, general practitioner numbers, and reimbursement details of no less than 510,000 people. Telephone numbers, addresses, banking details, and medical history were not among the exfiltrated data. L'Assurance Maladie had filed a criminal complaint, and the insurance body said it was reaching out individually to those affected by the breach.

In early 2021, nearly 11 million records of French users reportedly skimmed off from Apollo, an American digital marketing firm, were up for sale on a hacker forum. The stolen data stash included professional details of users such as full names, email addresses, social and professional profiles, phone numbers, and employment history. The leaked data seemed to include the geographic coordinates of the users as well as those of their employers. Apollo boasts a database of 200 million buyers and sellers at 10 million businesses, and the firm had been the subject of a similar hack of user data in mid-2018. It wasn't clear what the hackers' method of operation in 2021 was, and whether the stolen information included data from the previous cyberattack. The only saving grace was that the leak didn't include social security numbers and credit card details!

In February 2021, cybersecurity researchers in northern France came upon a database, comprising nearly half a million French patient records, stashed away in an illicit Telegram channel used to trade leaked personal data. Most embarrassingly, the leak exposed confidential personal data on fertility issues, pregnancy, HIV status, and medication administration. Besides patients' addresses, telephone numbers, emails, and social security numbers, in some instances, blood groups were also exposed. The data belongs to the period from 2015 to 2020 and is reported to have been pilfered primarily from more than two dozen medical laboratories in northwest France. The security analyst who broke this story reckons the hackers might have squabbled over the sale price of the documents and, as a result, the file went public. Soon after, the Paris Prosecutor's Office (Parquet de Paris) announced an investigation into the leak.

Le Figaro, founded in 1826, is France's oldest national daily and one of the country's most circulated newspapers. The online edition of the daily figures among the top 50 most trafficked websites in France. In May 2020, a group of security researchers made the startling revelation that Le Figaro, owned by French aerospace company Dassault Group since 2004, has been leaking terabytes of user data since at least February 2020! The security researchers think an estimated 42,000 new users who had signed up on the Le Figaro website in early 2020 might have had their PII compromised by the hack. These include full names, residential addresses, email IDs, weakly encrypted passwords, country of residence, zip codes, IP addresses, and server access tokens. The security analysts have reason to believe the data pilferage is linked to the daily's ERP/CRM platform.

In February 2021, an overnight ransomware attack disrupted computer networks and telephone lines at the Dax-Côte d'Argent Hospital Center (Hospital Center De Dax-Côte D'argent) in southwestern France. The scale of devastation was such that not a single computer at the hospital was working for nearly 48 hours. The attack took the entire network offline and returned the establishment with 2,300 staff to the age of pen and paper for a while. The hospital was forced to accept only unavoidable emergency cases, and the computerized sterilization control system was among the critical operations that had taken a hit. The cyber intrusion has since been attributed to the Egregor ransomware gang, itself a reincarnation of Maze, another notorious gang that went out of 'business' in October 2020.

The French National Agency for the Security of Information Systems (Agence nationale de la sécurité des systèmes d'information, ANSSI) reported in February 2021 that backdoors had been discovered on multiple servers hosting the French company Centreon's monitoring software. This malware served as a foothold for the hackers to sneak into the IT networks of several of Centreon's customers, including French government establishments. The IT providers were breached in a series of attacks lasting nearly four years from late 2017 to 2020. The servers were reportedly compromised using P.A.S web shell 3.1.4 (aka Fobushell) and Exaramel. The former malware developed by a Ukrainian student is typically used against WordPress sites, and the latter against Windows and Linux systems. Both backdoors are said to be popular with Sandworm hackers from GRU, Russia's military intelligence.

Thanks for your time. We'll be back soon with more stories on cybersecurity breaches from around the world. Stay with us. Meanwhile, please let us know if you have any questions. Best regards, Cyberlands team.