Data leak: Information from the Civic Service, exposed on the network
The civic service was the victim of a data leak that users on its website.
The exhibition was discovered on May 30, by cybersecurity researchers. They immediately contacted the civic service agency to notify them of their discovery. A database containing the information of more than 286,000 citizens, exposed to the nude, on the Internet, without any protection.
This article will also interest you: Isolated computer systems targeted by Ramsay malware
It was possible to collect personal information, certain personal data such as names or first names, email addresses, dates of birth and the possibility of access to citizens' resumes. Personal data that is all identifiable, allowing it to be linked to individuals in a concrete and simple way. Data that in principle should be protected.
According to the IT news website Comparitech, the database was discovered by Bob Diachenko, a well-known computer security researcher, for having already made several such discoveries. After his discovery, he automatically contacted another cybersecurity specialist, but this time French, named Baptiste Robert. With the help of the latter, they were able to finally identify the database and link it to the civic service agency. That's when they contact the agency. This procedure used by cybersecurity researchers could be explained by the fact that they wanted to astain the veracity of the information they had observed before contacting any administration.
According to specialist Baptiste Robert, the problem that caused the data leak was resolved just "a few hours" after they contacted the Public Agency on the evening of Saturday 30. "The leak in question came from a MongoDB database left open, without authentication," explains the security specialist. "Last Wednesday, an administration provider made a configuration error by putting the database online without authentication, which could allow a third party to view the data it contained. He says.
According to Bob Diachenko, the database was made up of different types of data. The first category included the personal information of the 286,000 citizens described above. And as has been served, this database contained mainly names and surnames, dates of birth, email addresses… As for the second category, there were almost 373,000 admissions. Not to mention that it included information from the ELISA application, a software for dematerializing conventions (contract) between volunteers of the civic service agency and companies wishing to apply for their skills. To sum up, the second category compile information about participating companies and volunteers. The 3rd category of data relates to the login data to the civic service website and its intranet. Composed of more than 1 million entries, this category exposed names, passwords, email addresses, apartment to users already registered on the platform.
According to security experts, the civic service agency has been "very reactive" in addressing the vulnerability, according to security experts. "Yes, their provider made a mistake, but overall the response from the civic services agency was pretty good. The worst was avoided, which was the ransoming of data by a malicious third party," continues Baptiste Robert.
Regarding the cause of the leak, the civic service agency stated: "The technical investigation, immediately carried out, reveals that no malicious intrusion on the platform occurred. Thus, with the exception of the two computer security experts who alerted the Civic Service Agency, no external consultation was detected. ». In other words, their system was not affected by a computer attack. Regarding the failure that could have led to the leak, the Civic Agency simply speaking of a vulnerability, or rather a configuration error. The positive note in this story is that there is no evidence that the information exposed was actually used in any act of cyber malice. However, the agency, promised to inform all those whose information was on the database extracted.
Now access an unlimited number of passwords: