Cyber Incident Victim: Conseil départemental des Hauts-de-Seine
Date:
Jun 2023
Location:
France
Summary
A ransomware attack targeted the municipality of Saint-Martin-lez-Tatinghem, encrypting part of its data and demanding a ransom, which officials refused to pay. The incident disrupted email systems and certain municipal operations at the town hall, though technical services, libraries, schools, and cafeteria reservation systems remained unaffected. Rapid containment measures, including network isolation and internet disconnection, limited the malware's spread. Authorities suspect unauthorized access to personal data, prompting notifications to the national gendarmerie and CNIL while advising vigilance against potential phishing or fraud attempts. Recovery efforts prioritized secure, gradual restoration of services, with ongoing investigations to assess data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 21, 2023, the municipal systems of Saint-Martin-lez-Tatinghem in France’s Hauts-de-France region experienced a ransomware attack. The malicious software encrypted files and disrupted network operations, prompting immediate detection by the digital service team of CAPSO, the city’s network management partner. Initial response actions included isolating all affected machines from the network and disconnecting internet access to contain the virus. Coordination began with the Regional Cyber Incident Response Center (CSIRT), the National Gendarmerie, and CAPSO to assess the breach. Technical diagnostics confirmed partial encryption of data, though the attackers’ specific entry vector remained under investigation. The city publicly disclosed the incident on June 23, noting most municipal services were impacted but maintained through adapted workflows. Electronic mail systems were temporarily disabled, forcing staff to prioritize phone communication and in-person visits at town hall. A ransom demand was issued by the attackers, but the municipality, in consultation with specialized agencies, refused payment to avoid legitimizing cybercriminal activity.
By June 28, forensic analysis indicated potential exfiltration of personal data, prompting the city to notify France’s data protection authority, CNIL. Services such as libraries, technical departments, schools, and the eTicket cafeteria reservation system remained operational, while town hall operations faced significant disruption due to targeted encryption of documents. Gradual restoration of email access began, though delays persisted in processing messages received since the attack date. The Culture, Youth, and School Life department’s animation services anticipated a near-term return to normal function. Citizens were repeatedly warned to scrutinize suspicious communications, with instructions to report phishing attempts to cybermalveillance.gouv.fr and reset compromised email passwords. The Gendarmerie’s ongoing investigation focused on identifying stolen data categories and attack methodologies. Municipal updates continued via the city’s official website and Facebook page, emphasizing transparency amid recovery efforts. No evidence suggested attacker persistence in the network following containment.