But in reality, where does our data go after a cyber attack?

This is not the first massive cyber attack in France and will certainly not be the last. This Wednesday, the National Commission for Information Technology and Liberties (Cnil) announced that more than 33 million people were affected by a hack targeting Viamedis and Almeris, service providers specialized in managing third-party payments for complementary services. . “The relevant data, for the insured and their family, is the marital status, date of birth and social security number, the name of the health insurer as well as the contract subscribed,” the organization confirmed in a press release. release, ensure that certain sensitive data is not affected. This is the case for banking information, medical data, health reimbursements, postal details, telephone numbers and emails.

If the CNIL claims not to be able to individually indicate who has been affected, it is important to ask ourselves where our data goes after an attack. Are they all destined for the dark web? Yes, says Maître Hélène Lebon, a lawyer specializing in personal data protection law and cyber security. If you were still hoping to give up data, go ahead. “There’s always something to do with it. The dark web follows a capitalist logic,” Vakil recalls. Data protection expert Yosra Jaraya adds, “There’s cause for concern.” “For what? Due to the enormous amount of data and by some providers.

However, on the dark web, not all values ​​are equal. According to Maître Brigitte Lebon, the first and last name as well as the address remain data that is not very monetized. “All this data should already be on the dark web,” compares the lawyer. In contrast, information such as family composition or financial capacity is more readily available for purchase. “About 150 euros according to American studies”. To get an idea, the Dark Web Price Index lists the average sale price of data each year. In 2023, Instagram account credentials will sell for $25, compared to $60 for a Gmail account.

Risk of phishing and identity theft

But there will be another future for leaked data. In the case of mutual health insurance providers, these are phishing attempts, summarizes Maitre Clemens Merola, a lawyer specializing in new technologies at the firm Blast Avoces. “For example, you will receive a fake e-mail with your mutual insurance company’s logo, your name, your identifiers… everything to give you confidence. And in this e-mail, we will inform you that they have to reimburse you the amount of 150 euros but to do this, you have to click on a link and enter your bank card number. Banks, you click and the phishing attempt is successful.

However, data is not resold just once. First because they can be endlessly copied and pasted, summarizes Yosra Jaraya. But only. “The flaw also involved Social Security numbers. Because it is a unique number that can never be renewed, there is also the risk of identity theft,” explains Maître Clémence Marolla. This data can then be re-purchased for banking operations or in a business environment, for example.

What to do in case of attack?

A data breach is never an overnight affair. By the time an attack occurs, the malicious actors may have been striking for a long time. “Usually, when we see a cyber attack, it doesn’t just happen. We don’t know how long they were there, or for how long, or if it was a voluntary act,” explains Yosra Jaraya. Sometimes the investigation can take longer after the attack is announced. “We know about the attack two days later and six months later. What we know is usually nothing to do with it,” summarizes lawyer Brigitte Labon. And the expert added: “If you are attacked tomorrow, we will have almost no way of knowing that it is because of this attack. Or an attack ten days ago or ten years ago.”

So what can we do to avoid collateral damage from this cyber attack? “Be aware of the requests you may receive, especially if they concern the reimbursement of health expenses, and periodically check the activities and movements on your various accounts,” advises the CNIL website.