Cyber Incident Victim: Caisse nationale des Allocations familiales
Date:
Feb 2024
Location:
France
Summary
A cyberattack targeting the French family benefits agency involved hackers claiming access to 600,000 accounts, though only four beneficiaries' data was confirmed compromised. The group LulzSec published screenshots of these accounts, revealing names, family details, and payment information, but no banking data was accessible. The breach resulted from reused passwords obtained elsewhere, not a system vulnerability. The agency temporarily shut down its online portal, reinforced security measures, and initiated investigations into the broader claim. Affected individuals were notified, a complaint was filed, and regulators were alerted. No unauthorized financial transactions or systemic security flaws were detected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 12, 2024, a hacker group identifying as LulzSec published a tweet claiming unauthorized access to hundreds of thousands of user accounts associated with Caisse nationale des Allocations familiales (CNAF/CAF), France’s family allowance fund. The group released screenshots displaying personal data from four specific beneficiary accounts on Twitter and Telegram, accompanied by a blurred list purporting to represent thousands of additional compromised accounts. The exposed data included beneficiaries’ names, family information, and details regarding allocation amounts and payment dates. CAF temporarily disabled its Mon Compte online portal for several hours on February 12 as a precautionary measure, restoring access by the morning of February 13. Initial investigations by CAF confirmed the compromise of the four accounts depicted in the screenshots but found no evidence of systemic intrusion or security vulnerabilities within caf.fr systems.
CAF attributed the unauthorized access to these four accounts to credential compromise, likely through passwords obtained from external sources unrelated to CAF infrastructure, emphasizing that attackers did not breach CAF’s defenses. No fraudulent transactions or modifications occurred within the compromised accounts, and attackers could not access banking details (RIB). CAF identified and notified the four affected beneficiaries. While LulzSec claimed access to 600,000 accounts, CAF stated this broader assertion remained unverified, with investigations ongoing. The organization filed a criminal complaint and notified France’s data protection authority (CNIL) of the incident. CAF implemented additional password security enhancements during an overnight maintenance window from February 13 to 14, though no technical vulnerabilities necessitating this action were disclosed. Operational impacts were minimal, with no disruption to benefit payments or user procedures beyond the temporary portal closure. CAF maintained continuous monitoring of login systems and reiterated standard security guidance regarding password hygiene without confirming any link between the incident and historical data breaches cited in media reports.