Nationalities, birth dates, and passport numbers among potentially exposed data

French government visa website hit by cyber-attack that exposed applicants' personal data

UPDATED The personal data of visa applicants hoping to visit or emigrate to France has been exposed in a cyber-attack targeting the French government’s ‘France-Visas’ website.

France’s Ministry of Foreign Affairs and Ministry of the Interior, which jointly manage the site, said the attack took place on August 10 and was “quickly neutralized”, according to a Google translation of a French-language government press release published on Friday (September 3).

The compromised data comprises details entered during visa applications, including email addresses, first and last names, dates of birth, nationalities, and passport numbers or identity card numbers.

No financial or ‘sensitive’ data (as defined by the GDPR) was compromised, said the government ministries.

Read more of the latest security news from France

The press release did not disclose how many individuals are impacted or a range of dates within which visa applications were compromised.

The statement intimates that the stolen data would not be sufficient for the attackers to access government services under the guise of victims.

David Sygula, senior cybersecurity analyst at Paris-headquartered infosec firm CybelAngel, told The Daily Swig: “Such data is highly valuable like any PII for malicious purposes. Depending on the country and the freshness of data, one record can typically be sold for around 10, to several dozen euros on illicit sites (Dark Web).

“The data in question can be used for impersonation to carry out several types of fraud, such as opening a bank account or other malicious activities related to immigration (think human trafficking).”

Incident response

The French government ministries said they immediately implemented measures to secure and prevent further attacks.

Affected individuals have been notified of the data breach and been given recommendations for protecting their personal data and online identities, said the statement.

The French data protection regulator – the Commission nationale de l'informatique et des libertés (CNIL) – has been notified and a judicial investigation is underway, reads the press release.

David Sygula of CybelAngel said: “The mere successes of the attack – although contained – is a way of attacking France as a country and institution. It may ‘give faith’ to other groups and harm France’s overall reputation regarding cyber exposure.”

The number of visas issued by the French government fell by nearly 80% between 2019, when 3.5 million visas were granted, and 2020, as the Covid-19 pandemic decimated international travel, has previously reported.

The Daily Swig has asked the French government for further details, and we will update this story if and when they do so.

This article was updated with comments from David Sygula of CybelAngel on September 7.

RELATED Dallas Independent School District reports data breach impacting current and former students, staff