Macron’s details – including his date of birth, date of vaccination and the manufacturer of the vaccine used – were uploaded to social networks after photographs of it being scanned as part of a routine check were published. Users were able to zoom in on details contained in the photograph.
The Élysée confirmed to Europe1 that the President’s code was authentic, and that ‘special arrangements’ would be made to protect his data and prevent fraudulent use of his health pass code.
This latest breach comes months after President Macron’s mobile phone number was confirmed to be on a spyware list.
Last week, Mathis Hammel, cybersecurity research and development director at Sogeti, revealed that he had obtained the Prime Minister’s vaccination QR Code simply by zooming in on a press photograph of Castex while he was having his phone scanned, revealing information including his date of birth and the vaccine used.
While it is unlikely most people would attract press interest at the level of the President of France or his Prime Minister, individuals have been warned not to post photos on social media in which their health pass code is visible.
The Prime Minister’s office told Le Figaro that Castex’s health pass details had been compromised: “This gentleman did have access to the health pass thanks to a photo of Jean Castex, and then used it.
“Although the Prime Minister is regularly followed and photographed by the press, this episode shows that the health pass is a confidential document.”
Castex’s leaked QR code has since been deactivated – but not before, it is believed, it was fraudulently used to gain access to venues that demand health passes but are legally not allowed to confirm pass holders’ identity.
Fraudulent use of another person’s health pass is punishable in the first instance by a fine of up to €750, according to the service-public.fr website, rising to six months in prison and €3,750 for repeated offences.
Officials were quick to point out that other information revealed in the photograph, though personal, amounted to a minor data breach.