Contacted just before the holidays, Madame L., a resident of the village of Églisottes-et-Chalaures in Gironde, is “fall from the clouds”. Her date of birth, that of her husband, their address, the amount of benefits they receive from the Family Allowance Fund (Caf) and even their income were found on the internet. “I was not aware, you teach me”, the 50-year-old tells us on the phone. Ditto for Madame F. from Saint-Sulpice-et-Cameyrac, Madame B. from Cabanac-et-Villagrains and a dozen other people whom we contacted. Stupor and a little anger too.
The origin of this “leak”, which the investigation cell of Radio France reveals to you, is at the Gironde family allowance fund. The organization (of private status, charged with a public service mission, like all Cafs) regularly trains its agents, in particular its statisticians. To teach them the R language, a programming language for statistics, he called on a service provider based in the Paris region. And as in all training, there are practical cases with exercises.
Address, date of birth and household income made public
In this context, the Caf de Gironde communicated to its client a file containing the personal data of 10,204 recipients precisely. The surnames and first names have been removed as well as the postal codes, but a lot of information remains: address (street number and name), date of birth, household composition and income, amounts and types of benefits received (RSA, APL, disabled adult allowance, etc.), in total, no less than 181 pieces of data per beneficiary were revealed. Even the dates of birth of the children and the existence of joint custody are mentioned in the file. The deletion of surnames and first names in no way prevents the recipients from being identified because by using the reverse directory on the internet, we were able to find the identity of most of them.
At the time of the training, in March 2021, the service provider puts this file online on its website (see screenshots below). Far from being reserved solely for Caf agents, access to this data is possible for everyone. Just click on a file called caf.zip. “When the Caf communicated these data to me, I thought they were fictitious”defends today the service provider, whose anonymity we preserve. “We don’t need real data for training, only ‘realistic’ data. The file was made available on my site as part of an online training and I failed to remove it afterwards. “ As soon as we contacted him, this trainer removed the file from his site. He will still have remained there… 18 months.
Beyond this “forgetting”, it is the very transmission of this data by the Caf to a third party that raises questions. “This is sensitive personal data. I do not think that the Caf had the legal right to export this data”explains Bastien Le Querrec, jurist at the
Squaring the Net. “We have a window on the intimate life of more than 10,000 people with very precise information”laments Alexandre*, another member of the association. “It is very problematic that the Caf allows itself to send this data to a private service provider, it could have done this training with a set of fictitious data”he continues.
So what does the law say? According to Alexandra Iteanu, a data protection lawyer, “For a transfer of personal data to be legal, it must be based on one of the six legal bases imposed by the GDPR [Règlement général sur la protection des données, NDLR] : the consent, the contract, the mission of public interest, the safeguard of vital interests, the legitimate interest and the legal obligation. CAF therefore did not have the right to communicate this data if it did not inform the persons concerned in advance and obtain their consent.concludes the lawyer.
The Caf de Gironde accuses the service provider and will investigate
In this type of situation, the sanctions can be of three types: administrative (pronounced by the Cnil), civil and even criminal. It must be said that the damage can be significant for the recipients. “With so much data available online, the greatest risk is identity theft”explains Bastien Le Querrec. “There can also be malicious targeting. For example, we receive a message that says ‘do this for your child’, and we connect to a fraudulent platform.”
Asked about this case, the press service of the National Family Allowance Fund (Cnaf) replied that “this data should never have been put online by the service provider” and that the latter had received the file as part of “of a very restricted formation” with a staff “subject to professional secrecy”. The document, we are told, had a use “strictly internal”. CAF de Gironde will inform the 10,204 beneficiaries concerned and has opened an internal investigation to “understand how this situation could have arisen and put in place a tighter follow-up system.”
* Assumed first name
To send information to Radio France’s investigation unit anonymously and securely, you can now click here:
