A large data leak, revealed on Friday by the company that alerted its customers, has hit Internet service provider and mobile operator Free: a hacker claims to have the data of 19.2 million users and some, including banking information, have been made public. Five days later, where are we?
What is it about?
In mid-October, a hacker put up for sale a file that he claimed contained the personal data of 19.2 million Free customers, or the majority of the company’s 22.8 million subscribers. 5.1 million IBANs (international bank account numbers) would also be affected.
In the email sent to affected subscribers, which Le Parisien was able to consult, the operator explains that this attack “resulted in unauthorized access to part of the personal data associated” with their account. Names, first names, email and postal addresses, dates and places of birth, telephone numbers, subscriber identifiers and contract data were thus stolen. “No passwords, no bank cards and no communications content (email, SMS, voice messages, etc.) are affected,” Free told us on Saturday.
What data is there in nature?
The hacker claimed in a specialized forum on Tuesday evening that he had sold all the stolen data for $175,000. Information we are unable to verify. The hacker’s message is embellished with references to “Reef”, a brand ironically inspired by the French operator.
To date, it is impossible to certify what this file contains, specifies Damien Bancal, IT security expert and author of the blog. zataz.comto AFP. However, the hacker put online several “samples” containing the data of over one hundred thousand customers, including some IBANs.
At this stage Free has not provided details on the number of subscribers affected.
What protection measures does Free take?
The company began notifying customers affected by the data leak, specifically their IBAN, via email on Friday. “All necessary measures were taken immediately to stop this attack and strengthen the protection of our information systems,” the company said.
Free specified that he had alerted the National Commission for IT and Freedoms (CNIL) and the National Agency for the Security of Information Systems (Anssi), in accordance with his obligations, and filed a complaint with the Public Prosecutor’s Office.
What are the risks for customers?
If the leak of IBAN is often a cause for concern, the Banque de France specifies that “communicate your RIB (bank identity statement, which includes the IBAN) is not risky in itself (…) In order for a beneficiary to debit your account, you must authorize it by signing a direct debit mandate.”
However, a fraudster, “registered as a direct debit issuer with a payment service provider”, can falsify “direct debit mandates on IBAN that he obtained illegally and without any authorization and thus recover the funds », warns the French Banking Federation (FBF ).
Fraudsters “can also sign up for subscriptions and services that would be paid for by direct debit”, the same source specifies.
What to do?
The Observatory on the Security of Payment Means recommends “regularly checking” and “updating the list of authorized or banned creditors in your online banking space”. You are also advised to “carefully and regularly monitor the direct debit transactions debited from your account and in the event of fraud” to dispute the direct debit transaction “without delay”. The refund “is unconditional within eight weeks, regardless of whether or not a direct debit mandate exists”.
The dispute can be made “at the latest within 13 months from the date of the debit”, specifies the FBF. This deadline “is reduced to 70 days when the establishment of the payment beneficiary is located outside the European Union or the European Economic Area”. “Your bank will then have to refund the debited amount at the latest by the end of the first following business day and return the account to the state it would have been in if the transaction had not taken place”, concludes the FBF.
Finally, you should pay particular attention to phishing attempts via email or telephone, do not provide a password and do not validate any banking transaction at the request of an advisor. Resources are available on the site cybermalveillance.gouv.fr.
#Free #victim #massive #cyber #attack #risks #protection #measures.. #vast #data #leak