Orange recently suffered a data breach and around 3% of their user records in France were allegedly hacked. This amounts to around 800,000 users.
The anatomy of the attack appears to be SQL injection, where a French version of their web application took users to a flawed My Accounts page that was vulnerable to some sort of data exfiltration vulnerability. I assume SQL injection due to the amount and type of data that was taken, which appears very similar to what one would find in a database.
Orange has since taken down the My Accounts page whilst they address the issue.
The ZDNet article cites an Orange spokesperson as saying:
“Theft of this type of data mainly serve to feed ‘phishing' activities, and we ask our customer to remain vigilant and to never provide personal data over email or click on links in email that may be untrustworthy,”
“Orange is already in contact with all customers affected, and no action by our customers is required.”
It's certainly not the first time a major organisation has tried to play down their responsibilities – the above statements are ridiculous. Why should customers remain vigilant? How do they know what links are trustworthy or not, especially where phish will contain all their other account information (name, address, account number) and phishing emails will thus be HIGHLY realistic.
To have the audacity to say customers don't need to take any action really gets my goat!
At the very least, Orange should:
- Offer customers free credit monitoring for the next 12 months
- Offer customers free data breach / identify theft insurance
- Offer customers a free anti-phishing application or even anti-virus
- Setup a hotline for concerned customers
Just playing the whole thing down and passing the buck to customers is infuriating to hear.
It's like “Sorry, we've had a data breach due to sloppy security on our systems. Erm.. keep an eye out to make sure you're not affected, along with the other 799,999 customers we've put at risk through our negligence. By the way, have you heard about our great new package offering 900 minutes and an iPhone 5? Oh, and just for future reference, it's not our fault – hackers are too clever for us and we just didn't see this coming, so please don't call us (we don't care).”
There are two lessons to learn here:
- Carry out regular penetration testing on ALL externally facing web applications that interface with personal data. A penetration test would have identified SQL injection vulnerabilities (we find them all the time!).
- Develop an incident response plan that includes responsible, effective PR that enhances your brand and willingness to protect customers, rather than leaving them fend for themselves.
If corporations that are responsible for massive amounts of personal data continue to get away with this, then it's not going to be long before all our private data is public.
Source for the stats / attack type: ZDNet.