By – The Register

Payments outfits Viamedis and Almerys both experienced breaches of their systems in late January, the National Commission on Informatics and Liberty (CNIL) revealed, leading to the theft of data belonging to more than 33 million customers. Affected data on customers and their families includes dates of birth, marital status, social security numbers and insurance information. No banking info, medical data or contact information was compromised, the CNIL added.

“This is the first time that there has been a violation of this magnitude [in France],” Yann Padova, digital data protection lawyer and former secretary general of the CNIL told French radio network France info. Padova believes the breach is the largest in France’s history.

Viamedis was reportedly compromised through a phishing attack that targeted healthcare professionals, and used credentials stolen from such professionals to gain access to its systems. Almerys didn’t disclose how its compromise occurred, but it’s possible the ingress was similar in nature – it admitted the attacker gained access through a portal used by healthcare providers.

The CNIL said that it’s working with Viamedis and Almerys to ensure those affected are informed – as is required under the EU’s General Data Protection Regulation – but it’ll likely take some time to get the word out to nearly half the country.

In the meantime, French officials are warning that the stolen data could be combined with data from other breaches to be used in phishing attacks or social engineering schemes. An investigation has been opened, the CNIL said, to determine whether either organization is at fault for the breach.