The telecom company has confirmed that last month, on or about April 18, users of its online portal fell victim to a cyber-heist that captured first names, surnames, and, in some cases, telephone numbers, dates of birth and email addresses. The hackers were able to get in via a marketing platform that Orange uses to send promotional emails and text messages to opt-in users.
Fortunately, no payment information or credit card numbers were stolen, but Orange has warned its French customers to beware of phishing attempts. Interestingly, according to Le Monde, it has waited until now to make a public admission so that it could patch the exploited flaw.
“It’s worrying that Orange France has fallen victim to another cyber-attack so soon after the very successful attack in February – with nearly 5% of their subscriber base compromised, well over a million of their customers,” George Anderson, director at Webroot, told Infosecurity. “What’s surprising is the length of time between the attack happening and it becoming public knowledge – almost three weeks – especially as the data stolen is ideal for phishing subscribers using email, SMS and phone calls.”
Orange said that, in this case, the approach was different from the attack in February, which involved a possible SQL injection into the “My Account” section of the orange.fr website, allowing hackers to access the personal details of users. Passwords were spared, but the thieves made off with names, addresses, email addresses, phone numbers and 'household composition' for approximately 800,000 customers.
So, the approach may have been different, but the resulting threat – phishing – is the same.
“Phishing remains the most prevalent attack, accounting for over 55% of successful breaches in our security research, because victims just don’t realize how sophisticated these attacks now are,” said Anderson. “Most phishing sites are ‘live’ for just a few hours and the phishing attack is often indistinguishable from genuine communications and requests. That’s why it’s vital that Orange France customers, a.k.a. potential victims, are made aware of any threat to them immediately.”
Tony Caine, vice president and GM for Asia-Pacific/EMEA for HP Enterprise Security Products told Infosecurity that Orange’s double-whammy in the first six months of the year will cost the company more than customer loyalty.
“The number of customers affected (1 million this time; 800,000 in February) may have a significant negative knock-on effect – research we commissioned in 2013 found that the average annualized cost of cybercrime for French businesses was €3.89 million per year,” he said. “Moreover, cyber-attacks have become common occurrences in France - the companies in our study experienced 26 successful attacks per week and 1.1 successful attacks per company per week.”