Personal Details of 800,000 Orange Users Stolen

Share

Related Links

Related Stories

  • Bell Canada Hacked by NullCrew
    Bell Canada announced Sunday that "22,421 user names and passwords and 5 valid credit card numbers of Bell small-business customers were posted on the Internet this weekend." It claims that it was not directly breached, but that the "posting results from illegal hacking of an Ottawa-based third-party supplier." But there's more to the story.
  • Second RBS Outage in a Week Paves the Way for Phishing Extravaganza
    The Royal Bank of Scotland has suffered a second major cyber-attack within a week, leaving a wealth of phishing threats in its wake.
  • Phishing surge shows human element weakest link in cyber-defense
    Although the key part of the term “cyber-security” is certainly the “cyber” portion, Kaspersky Lab’s David Emm argues that the human element of infosecurity is perhaps the most important.
  • 33% of CEOs vulnerable to spear-phishing attacks
    Getting senior management on board is essential for an effective security policy; but new figures show that management isn't merely a part of the solution - where phishing is concerned, senior management can be a major part of the problem.
  • Phishing targets UK businesses 3,000 times per day
    Phishing attacks are evolving, and becoming more widespread over time: Kaspersky Lab has found that 3,000 UK internet users were subjected to phishing attacks each day for the past year, a notable increase from 1,000 the year before.

Top 5 Stories

News

Personal Details of 800,000 Orange Users Stolen

04 February 2014

But not their passwords. Last Friday a French publication provided details on the data stolen from French mobile operator, Orange. The breach occurred on 16 January, and involved the loss of names, addresses, email addresses, phone numbers and 'household composition' for approximately 800,000 customers.

Customer passwords were not stolen – they are stored on a separate server that was not affected. Some partially redacted bank account details were stolen, but, says Orange, in an unusable format. The threat to affected customers is, therefore, from enhanced phishing rather than direct account compromise.

Orange is now emailing affected customers (in French) with information on the breach. This follows an earlier email sent out on 23/24 January giving a general warning on the dangers of phishing, but without mention of the hack. The French publication PCinpact spoke to Laurent Benatar, technical director at Orange. He explained that the breached site was briefly closed while the problem was tackled.

The subsequent email to customers warned about phishing, presumably because Orange had become aware that personal details had been stolen, but did not mention the hack. "For the company," writes PCinpact (in French), "it was still necessary to wait to learn the exact details of the intrusion. Note that the [phishing] advice is valid in all circumstances, whether an intrusion has occurred or not."

Orange has reported the incident to the authorities, and Benatar said that he will not release any further details while the police investigation is under way.

Although the most sensitive personal details – passwords and bank accounts – were stored on separate and apparently better secured servers, Orange customers should nevertheless take this news seriously. With such a wealth of personal information available, criminals will easily be able to fashion compelling poisoned phishing emails, perhaps with additional information found on social networks such as LinkedIn and Facebook.

Although the breach has been closed, in many ways the threat is only just beginning.

As yet there is no indication of who is responsible for the breach. NullCrew, which has claimed responsibility for the Bell Canada breach, recently announced a campaign against internet providers; and on the day before the Orange breach tweeted, "Successful day hacking internet service providers is successful." Infosecurity has asked NullCrew if it was involved in the Orange breach, but has not so far had a response – nor has NullCrew made any indication of involvement.

This article is featured in:
Data Loss  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×