The National Commission for Informatics and Freedoms (CNIL), the French police officer for personal data, announced on Thursday, April 21 that it has acquired Dedalus . had condemned to a hefty fine of 1.5 million euros after a major leak of health data.
Mid February 2021, a freely accessible user, on a discussion forum, a database of sensitive medical information about half a million French people. Specifically, we were able to find their last name, first name and postal address, as well as their phone number and email address, as well as their blood type or social security number. Ultra-sensitive medical information was also included in the published data, particularly with regard to: “against HIV, cancer, genetic diseases, pregnancies, patient-tracked drug treatments, or even genetic data”specifies the CNIL.
The source of the leak was quickly identified as coming from software marketed to labs by the Dedalus Biology company. At the time, the CNIL had opened an investigation and audited the company. The overwhelming results of these checks prompted the governing body to impose a large fine, but also to make this sanction public.
“Many shortcomings”
The CNIL considers the company liable for major breaches of the General Data Protection Regulation (GDPR), the European framework for personal data. In particular, it criticizes the company for: “many technical and organizational security flaws”specifically “lack of encryption” some data, “lack of authentication” to access part of the IT infrastructure, or “the absence of automatic deletion of data after [leur] migration »†
For the CNIL, “This lack of satisfactory security measures is one of the causes of the data breach that compromised the medical records of nearly 500,000 people”† The CNIL also accuses the company of exceeding the requests of its customers, in this case medical labs, when: “the migration of one software to another tool”extract “a larger amount of data than required”†
A few days after the disclosure of the data breach, the court – in summary proceedings by the CNIL – ordered French internet service providers to block Internet users’ access to the site on which the data is published.
If the fine imposed by the CNIL results in the sanctioning of security deficiencies, the person or persons responsible for the hacking and posting of the data have not been identified. This data could have been first put up for sale, several months before the public discovery of the leak, on specialized online forums. The original seller would then have released this data open access in response to a dispute with a buyer.
The Paris prosecutor’s office opened an investigation into computer hacking and entrusted it to the police unit specializing in the fight against cybercrime.