Five days after Viamedis, another third-party payment specialist, Almerys declared that it was the victim of a cyberattack, exposing social security policyholder data. The Social Security number is one of your most valuable personal data, but do you know exactly why?
Health data targeted by hackers. The third-party payment operator Almerys was the victim of a cyberattack, five days after Viamedis, another specialist in the sector. According to the company’s statements to AFP, the theft of usernames and passwords of ” some health professional customers of the service compromised their account and facilitated access » on the dedicated Almerys portal. “ Personal data of social security holders was exposed as part of this intrusion »said the organization.
In accordance with GDPR rules, those affected by the data leak will be informed by Almerys. But another question might arise for affected users: what can hackers do with my social security number?
The social security number, an information bank
As you may know, the 15 numbers indicated on your health card all have a meaning: none is generated randomly, as Health Insurance explains. More precisely, the first 13 digits correspond to the social security number, also called registration number (NIR), and the last 2 are only used for verification procedures. Each group of numbers between spaces has a particular meaning.
In order, we find:
- The number 1 if you are identified as a man, the number 2 if you are identified as a woman.
- The last 2 digits of your year of birth.
- The 2 digits of your month of birth.
- The 2 digits of your department of birth.
- The 3 digits of the geographic code of your town of birth.
- The 3 digits of the birth order number. This number makes it possible to distinguish people who were born in the same place at the same time. It is registered in the civil status register of your municipality.
- And finally, the 2 digits of the “control key”. It is a number calculated from 13 digits, which automatically verifies that the insured has correctly indicated their social security number information.
The first few digits of the Social Security number can be guessed with a little research, but obtaining the birth order is much more complicated, which guarantees some privacy. Conversely, obtaining someone’s social security number allows you to infer several pieces of personal information.
With these characteristics, the social security number is considered both as highly sensitive data with regard to the Data Protection Act of 1978, and as an aggregate of personal data with regard to the general data protection regulations – the famous GDPR. These two qualifications mean that its request and its processing by third parties must meet numerous requirements.
The social security number, key to public services
Your social security number has been leaked. And now ? In the case of a health organization data leak, the information contained in the number is already indicated on the file. On the other hand, the number itself has an important value, since it serves as an identifier for numerous public services, including the family allowance fund (CAF), the retirement fund, Pôle emploi, or even the Health Insurance website. To connect to ameli.fr, for example, you must enter your social security number and a password.
If a criminal obtained this information, he could access his victim’s payment history. Above all, he could use his access to Ameli.fr to abuse the FranceConnect system. This tool allows you to connect to a public service with the identifiers of another public service, among 6. For example, you can connect to the Ameli site with the identifiers (tax number and password) of your public service account. taxes, and vice versa.
In total, FranceConnect claims that 700 procedures are accessible via this route. When an administrator connects using the service, they receive a notification on their email address with the exact connection time, the name of the site and which identifiers were used.
Through this means, a criminal can theoretically have access to all of a person’s administrative documents. Fortunately, this kind of manipulation requires a certain level of expertise. Without going that far, other, more direct attacks are within the reach of all criminals.
Change your passwords
As with any data breach, we recommend that you change your potentially affected passwords. Here, you should modify your personal code, Ameli accounts, mutual insurance, France Connect, and all other sites that ask for your social security number to identify you. This may take a little time, but will help you avoid potential identity theft.
Do you want to know everything about the mobility of tomorrow, from electric cars to e-bikes? Subscribe now to our Watt Else newsletter!