Computer hacks are often favored by an unprecedented chain of negligence, errors and flaws. The attack on the Assistance publique-Hôpitaux de Paris (AP-HP), which compromised the data of 1.4 million people who were tested in mid-2020 for Covid-19, is an illustration of this.
On September 15, when the organization that oversees hospitals in the Paris region announces the incident, it does not specify a crucial and worrying point: the stolen data was, for a time, published in open access on the Internet. This was then clarified by Martin Hirsch, Friday, September 17, in a long email sent, as the law requires, to each of the people concerned by this data leak. The boss of the AP-HP specifies that the pirated data has been published “On a download platform hosted in New Zealand”. This is the Mega platform, formerly Megaupload. “This access was cut on September 14, 2021” says Mr Hirsch.
The AP-HP specifies that it was notified of the publication of the data on September 9. The data was therefore accessible for at least five days
Asked, the AP-HP specifies that it was warned of the publication of the data on September 9 by the National Agency for the Security of Information Systems (Anssi), the state’s digital bodyguard. The data was therefore accessible for at least five days. Could this data have been downloaded by third parties? When contacted, the Anssi and Mega did not wish to answer our questions and referred us to the AP-HP. The latter told us not to have “Knowledge at this stage of elements on the circulation or sale of these data”.
How the last names, first names, date of birth, gender, Social Security number, test results and, in some cases, mailing addresses, phone numbers and email addresses of nearly 1.5 million people have been uploaded? The thread of events, that The world is able to trace, starts in September 2020.
Data sent manually
A wolverine was born a few weeks earlier in the bowels of the AP-HP. It is called Sidep: the computer file that has centralized, every day since almost the start of the pandemic, the results of all the tests carried out on French territory. From there, data goes in particular to the Health Insurance, responsible for contact tracing : the organization uses the information contained in Sidep to contact individuals who test positive and identify people who they could have infected when they did not yet know they were sick.
Today, this sending to Medicare is automatic and secure. But in September 2020, the sending device is not yet functional. AP-HP employees must therefore manually send the necessary data to their colleagues from the Health Insurance. To do this, they use an internal service at AP-HP, called Dispose and used by the employees of the hospital group to exchange various files.
This is the equivalent of the Box or Dropbox services, hosted on AP-HP’s servers: its agents deposit the data there, which can then be retrieved by Medicare using a link. For each mailing, a password is sent to the Medicare teams through a separate channel. This is the case for this shipment, which concerns test data, mainly from Ile-de-France residents, carried out over a period of five months, between June and October 2020.
This is not provided for by the text that created the Sidep decree and poses risks in terms of data protection. The AP-HP defends itself, highlighting the “Encryption measures” of the data present on this platform, which also has “Certification “health data hosting”” And explaining having adopted this solution “Rather than endangering the contact tracing and weaken the tools for managing epidemic dynamics ”.
The National Commission for Informatics and Liberties (CNIL), which monitors Sidep like milk on fire, was informed of this mode of operation, found nothing to complain about and “Verified that the basic authentication functionalities were well implemented” explain to World the institution. The investigation opened by the CNIL “Should make it possible to determine whether the AP-HP has fulfilled its obligations in terms of computer security for this tool” we specify from the same source. Medicare declined to answer our questions.
In theory, after each transfer, the data was deleted manually. The link allowing access to this data was also supposed to self-destruct after seven days. However, the data placed on Dispose in September 2020 remained on the organization’s servers for a year. Concretely, anyone who had the link could access the download page. Only a password prevented data exfiltration. How to explain this failure? “The internal investigation will determine the reasons” says one to the AP-HP.
A flaw unknown to the manufacturer
This is where a computer flaw comes in. The AP-HP was informed of its existence by Anssi on August 30. In the process, from September 2, the Paris prosecutor’s office opens a preliminary investigation of several heads of computer hacking and entrusts the investigation to police officers specializing in cybercrime from the police headquarters.
“The data could be used for phishing attacks against the people concerned” explains the CNIL
If the Parisian hospital organization does not wish to make any comments on the Dispose file sharing service, The world confirmed that the flaw lies in HCP Anywhere, the software developed by the Hitachi company and used by the AP-HP to run Dispose. This flaw, the exact contours of which are not known, made it possible to bypass the protection offered by the password and to download the data. The flaw was not public and even unknown to the manufacturer at the time of the hack, which took place over the summer, proof that the hackers were well informed.
Asked by The world, Hitachi admitted, Tuesday, September 21, to have been alerted to a potential vulnerability on September 13 “By one of [ses] clients “. After identifying this failure, the manufacturer made available to users, Sunday, September 19, a security update.
Those whose data have been released should be vigilant in the coming weeks. “The data could be used for phishing attacks against the persons concerned” explains the CNIL. Concretely, hackers could use the potentially recovered data to send highly personalized scam emails. Nothing like, in fact, information like an address or a social security number to give credibility to an e-mail pretending to be a bank, insurance or any online service in order to extract a password or a bank card number.