Majorel embarrasses Pôle Emploi. Massive theft of personal data

Revealed on 23 August in an official press release, the massive theft from Pôle Emploi of the personal data of 10 million jobseekers has come at a very bad time for Majorel, the service provider involved. Majorel is in the process of being sold to Teleperformance (the takeover bid began on 14 August) and has a strong presence in the public services and healthcare sectors, where data protection is a sensitive issue. In Germany, a number of banks that are customers of Majorel, a company listed on the Amsterdam stock exchange, have also been affected.

The vulnerabilities in MOVEit - a specialised file transfer software published by Ipswitch - that are thought to be behind this malicious attack are disrupting the summer slumber of many major companies: E/Y, Cegedim, Deustche Bank and ING are also thought to be affected.

900 dollars, the price of the file for sale on the darknet.

On 8 August, an advert posted on the darknet caught the attention of those monitoring the site, such as Damien Bancal (Zataz). An anonymous but well-known seller offered to sell a file containing 10.2 million items of data. We later learned that this file concerned jobseekers registered in February 2022 in the Pôle Emploi file or who had been registered in the twelve months preceding this date.

In an official press release on 23 August, Pôle Emploi acknowledged the theft, but initially did not say which service provider was involved. There were only two providers of these document scanning services. We would later learn that it was Majorel, one of Europe's leading BPO companies, that was involved and not Tessi, the agency's second partner for EDM and automated processing activities.

The data disclosed.

Social Security numbers, surnames and first names are contained in the leaked files, but not the bank details, passwords or telephone numbers of the recipients concerned, according to Pôle Emploi. A security flaw in the MOVEit transfer file-sharing application (published by Ipswitch, part of the Progress group) is believed to be the cause of the theft, a flaw known to specialists and already used by the Clop ransomware gang for its misdeeds.

After learning of this likely sale, Pôle Emploi said it would be contacting the jobseekers concerned and urged them to be extremely cautious in the event of solicitations by third parties. The Social Security number can be used in a number of fraudulent ways, since it is the gateway to many government services, but it is not sufficient in itself. On its interactive voice server - which we tested - choice 3 allows you to find out more about this theft and obtain more information. 3949 is therefore likely to be called more often than usual over the next few days, during which time it will be updated.

This deal comes at a bad time for Majorel, which is about to be sold to Teleperformance.

Majorel, which has a turnover of 1.7 billion in 2021, is considered to be a rigorous, high-quality player in its field. But it is also in the process of being acquired (for €3 billion) by Teleperformance, the world leader in BPO and outsourced customer experience. Data security is a subject that BPO players keep a close eye on, and one that mobilises extensive and expert CISO and anti-fraud departments, as Aurélie Naudé, Legal and Compliance Director at Teleperformance, recently explained. "We need to be prepared for anything."

At the same time, Majorel (formerly Arvato) has a strong presence in the healthcare and public services sectors, where people are particularly vigilant about personal data. Juan d'Alcantara is in charge of the commercial side of the public and health sector.

On 10 July, the German business daily Handelsblatt revealed that Majorel had been affected by data theft made possible by the aforementioned flaw, and that major banks such as ING, Comdirect, Postbank and Deutsche Bank, its customers, had therefore been impacted. It also mentioned that Kontowechsel, a Majorel software subsidiary used by these banks, may have been affected.

We now know that E/Y and Cegedim were also victims of these thefts. More than 1,006 companies and public bodies* are thought to be affected by data theft worldwide, as described here. (*Including companies such as Deloitte, hospitals, British Airways, BCD Travel, dioceses and their donor files).

A previous data theft at Pôle Emploi in 2021 only affected 1.5 million jobseekers.

The CGT is taking a stand.

In an official press release, the union linked this data theft to the massive outsourcing of these services to external service providers and to the desire of sponsors to reduce the associated expenditure. It warned of the risks ahead, given the creation of France Travail. It also points out that a major player in the temporary employment sector (without naming it, but in this case it is Adecco) was also the victim of a similar theft, which subsequently led to fraudulent direct debits being issued by Solfex France Sasu.

Read our article here and how Adecco set up a callbot to inform its temporary workers. with Citizen Call.

Why name Majorel? Possible impacts.

Majorel, a company listed on the Amsterdam stock exchange (Majorel Group Luxembourg SA), is an entity formerly known as Arvato, whose two main shareholders are Bertelsmann and Saham Group. Its core business is document dematerialisation and outsourcing of digitisation and customer relations services, particularly for public sector bodies: the company serves the city of Barcelona in this area, as well as local authorities and administrations in the UK, Spain and Germany. The following video shows one of the company's many speeches on these subjects.

Majorel has not published a press release on this theft or loss of data on its website. Since the 10 July article in Germany, the company, renowned for its discretion, may have thought that the fire had been contained. This incident in France has put the company back in the spotlight.

The complaint filed with the Paris Public Prosecutor's Office by its client Pôle Emploi will probably shed some light on what happened. Officially described as an act of cyber-malice, the administration's official communication initially made the service provider out to be a victim. It is now naming him as the person responsible, as suggested by the comments made to AFP. What are the risks for a service provider, apart from loss of image? Victims of personal data theft can lodge a collective complaint against the company responsible for the loss, but they can also lodge a personal complaint. Article 226-17 of the Criminal Code. In this case, Pôle Emploi would be entitled to take legal action against its service provider.

This is the 2nd loss of personal data this year in France involving a BPO service provider, to have received media coverage after the resulting files were put up for sale on specialist darknet sites. The first was at a small player in the telephone intelligence business, as we reported.

The dematerialisation and digitisation of documents are the subject of numerous invitations to tender, to be outsourced to specialists: healthcare, television channels, health players, Opacs, banks and public services entrust these digitisation tasks to specialists such as Arvato - now Majorel-Luminess, Tessi, Vivetic etc, in France.

Front page photo on Linkedin post : Luminess, one of the leading players in EDM and data digitisation, is actively working on security processes and the anonymisation of personal data. Luminess is not involved in the case mentioned in this article.