Cyber Incident Victim: Sidaction

On January 1, 2024, Sidaction, a French nonprofit organization cofounded in 1994 to combat HIV/AIDS, disclosed a cybersecurity incident affecting its operations. The breach originated from a cyberattack targeting the system of one of Sidaction’s third-party hosting providers, compromising donor data processed since January 2023. Personal data potentially exposed included names, postal addresses, email addresses, telephone numbers, and donation amounts for less than 20% of donors who contributed during that period. Approximately 3% of the impacted records also contained banking information—specifically IBAN (International Bank Account Number) and BIC (Bank Identifier Code)—though credit card details remained unaffected. Sidaction confirmed the incident involved cyber-malveillance but did not identify the threat actors or their methods. The organization acknowledged the risk of personal data disclosure and initiated direct notifications to affected individuals while alerting France’s data protection authority, the CNIL.

Sidaction emphasized ongoing efforts to mitigate the breach’s consequences, including collaboration with its provider to reinforce existing security measures. The association assured donors that online donation channels remained secure despite the incident and urged vigilance against potential fraud attempts leveraging the exposed data. No operational disruptions to Sidaction’s fundraising events or research initiatives were reported. The disclosure occurred amid a series of cyberattacks against French healthcare entities, including a separate incident impacting 33 million individuals through a third-party payment processor and a hospital breach in Armentières affecting 300,000 patients. Sidaction’s communication stressed transparency but did not specify whether data had been actively misused or if ransomware or extortion tactics were involved in the attack.