Cyber Incident Victim: Centre public d'Action sociale de Charleroi

On or around August 21, 2023, the Centre public d’Action sociale de Charleroi (CPAS Charleroi) fell victim to a significant cyberattack that severely paralyzed its internal computer systems. The attack was first reported on the morning of that date, prompting the organization’s IT teams to take immediate and decisive action. As a security measure, access to the entire internal network was completely severed to allow for necessary verification procedures and to secure the organization's data. This proactive step was taken to contain the breach and prevent any further unauthorized access or potential data exfiltration, though the full scope of the incident was still under investigation. The attack had an immediate and profound impact on the operational capabilities of the CPAS, a critical public institution responsible for providing social welfare services to a large number of citizens in the Charleroi region. The disabling of the internal network meant that many of the routine digital processes and communications were abruptly halted, forcing the organization to revert to manual and alternative methods to maintain essential services.

The primary and most immediate consequence of the cyberattack was a massive disruption to the CPAS's internal operations and its ability to communicate effectively with the public. The social assistance offices, which are heavily relied upon by the community, became exceptionally difficult to reach by telephone due to the crisis. This communication breakdown posed a significant challenge for both the beneficiaries seeking aid and the staff attempting to provide it. In response, the CPAS swiftly established a series of alternative email addresses using an onmicrosoft.com domain to ensure that critical lines of communication with various departments remained open. These alternative contact points were created for the general inquiry line, the general management, the financial directorate, the president's cabinet, the social aid directorate, the legal cell of the social service, the collective action directorate, the mental health directorate, the home care and assistance services directorate, the elderly reception and housing service directorate, the human resources service, and the procurement service. The public was advised that these new channels were operational but was also cautioned to be patient as staff worked under extremely difficult conditions. An additional complication arose as emails sent from these new alternative addresses were sometimes being filtered into recipients' spam folders, necessitating a public advisory to check those folders regularly.

A critical test of the CPAS's contingency plans came with the need to disburse the Revenu d’Intégration Sociale (social integration income) payments for the month of August. With its primary network compromised and automated systems unavailable, the institution was forced to process these financial payments manually. This involved manual encodings that required an enormous amount of work from the teams involved. Despite the formidable challenges, the CPAS successfully executed payments to the vast majority of its approximately 8,500 beneficiaries in a timely manner. However, the manual process was not without errors. It was reported that a small number of beneficiaries, approximately one hundred, received a double payment due to these processing mistakes. The CPAS immediately implemented procedures to recover the overpaid amounts. Social workers directly contacted the affected beneficiaries to explain the situation and arrange for repayment. Notably, some beneficiaries who received the double payment proactively came forward and reimbursed the amount immediately. For the beneficiaries who did not receive their expected payment at all, the CPAS advised them to contact their assigned social worker directly. The institution committed to analyzing the data and user cases on an individual basis to correct each outstanding situation as quickly as possible, aiming to resolve the issues within hours of them being identified.

In the aftermath of the attack, a major concern for both the organization and the individuals it serves was the potential compromise of personal data. The CPAS addressed these Data Protection (GDPR) concerns through a dedicated FAQ section on its website. The institution confirmed that it was a victim of a cyberattack that impacted its functioning and assured the public that all necessary measures had been taken immediately to limit the consequences on the data of all concerned individuals. The investigations into the breach were ongoing, and the CPAS was careful to note that, at that time, it had no confirmed information regarding a potential personal data breach. It committed to keeping the public informed as the situation evolved. The FAQ elaborated on the existing security measures, noting that significant security measures were already in place prior to the incident, as required by Article 32 of the GDPR, but also acknowledged that no information system is completely infallible. The legislation imposes an obligation of means, not results, and the CPAS emphasized that protecting the data of users, beneficiaries, and workers was a top priority, with measures already being strengthened further in response to the attack.

The potential risks to individuals were also outlined in the FAQ. The data potentially concerned was described as all data held by the CPAS, including the personal data of its users, beneficiaries, and workers. While the institution stated that the pirates could not directly access an individual's personal computer or accounts with the information alone, it did warn of associated risks. The primary risk identified was that of targeted phishing attempts. malicious actors could use any data obtained from the attack to craft more convincing fraudulent emails or text messages, pretending to be from the CPAS and asking for additional sensitive information such as photocopies of identity cards or bank account numbers. The public was strongly advised to be extremely cautious regarding any suspicious requests and to verify the provenance of any communication by contacting the relevant service directly through the newly published alternative email addresses. Furthermore, advice was given to change passwords if they were simple or based on information that might have been compromised, recommending the use of complex passwords of at least ten characters mixing numbers, letters, and special characters, and avoiding password reuse across different accounts.

Regarding legal recourse, the CPAS disclosed that it had already filed a complaint with the competent authorities. For individuals considering filing a personal complaint with the police, the institution provided guidance that such an action could be more complex. While the CPAS itself had suffered a clear prejudice, it was not established that each individual in its database had likewise suffered a harm, especially since a personal data breach had not been confirmed at that stage. Belgian law requires demonstrating a personal prejudice to file a valid complaint. The CPAS's dedicated Data Protection Officer (DPO), Ludmilla Postiau, was made available at an alternative email address to handle inquiries related to data protection, though the public was encouraged to consult the updated FAQ on the website first for answers to common questions. Throughout the crisis, the CPAS maintained that all its physical service locations remained open to the public, with teams working diligently to restore normal operations. The main point of contact for general inquiries was a central telephone number, and updates were provided regularly through the organization's website and its Facebook page, demonstrating a commitment to transparency and continuous public communication during a severe operational crisis.