The surnames, first names and Social Security numbers of people who were registered with Pôle Emploi in February 2022 have been stolen. An investigation was opened on Wednesday by the Paris prosecutor’s office. “We are facing hackers whose job it has become, and they don’t need to be geniuses,” says cybersecurity specialist Damien Bancal.
A Pôle Emploi database sells for $900, according to cybersecurity specialist Damien Bancal, journalist and founder of the blog zataz.com, interviewed in the evening of Friday August 25 on franceinfo. The cybercrime section of the Paris public prosecutor’s office opened an investigation on Wednesday August 23 for “fraudulent introduction and maintenance in an automated data processing system”, after an act of cyber-maliciousness towards one of the service providers of Pôle Emploi.
>> Cyberattacks: what happens to our data when it is stolen?
franceinfo: What data are we talking about exactly?
Damien Bancal: We have a computer hacker who sells two databases: the first would date from 2021, the other from 2022. There are surnames, first names, Social Security numbers, telephone numbers, email addresses. We even have certain documents that use geolocation. Fortunately, there are no bank details.
What is the point of having this type of data?
I’ve been observing this malevolent marketing for about ten years: for them, a database is being marketed. In the case of Pôle Emploi, it is 900 dollars. In 2021, a first part of this database was sold for $1,200 by this same hacker on other forums. Buyers have several goals: first, an unhealthy curiosity that will then be used for phishing, the famous phishing, which will then be used to pass themselves off as Pôle Emploi, for example.
>> Cybersecurity: the National Information Systems Security Agency “counted around 2,000 cyberattacks in 2022” in France
You can also have scams by phone or email. The most worrying: malicious professionals could contact users of Pôle Emploi by offering them a fake job, present themselves under the guise of a real company, make them sign a real-fake contract. These people could receive stolen checks or products, and these fake employees could send them to more distant lands, and become bad guys without knowing it.
Is there a loophole, a vulnerability, on the part of public bodies when they call on service providers?
In France, we are normally particularly well shielded against all that. We first have our CNIL (National Commission for Computing and Liberties), we have the ANSSI (National Agency for the Security of Information Systems). Normally, a company, all the more state-owned, has had training, education, reminders of the law, and its economic and technical partners must also take into account loaned data. Databases are information controlled by the CNIL and by a law such as the GDPR. But we have in front of pirates whose job it has become, and they don’t need to be geniuses. They need a chance.
Pôle Emploi ensures that you should not hesitate, in case of concern, to contact your adviser or to call the switchboard at 3949, but what can you do now?
People need to be careful of the phone calls they are about to receive, and potentially any emails from strangers. As usual, we do not click on anything, and we do not hesitate to call on Pôle Emploi, which could potentially respond “no, we didn’t write to you”.