France Travail, the Boulanger brand, the Old Age Insurance Fund or, more recently, the operator Free have all been hacked since the start of 2024.
What happens to the millions of personal data stolen in this way?
Hackers offer their insight to TF1.
Follow the full coverage
The 8 p.m.
Marie-Madeleine Sabbi, subscriber to Free, quickly understood. “Do you realize the anxiety we live in? Being afraid to open an email, a phone call… It's the unknown. You have someone walking around with all your contact details, but you don't know who”describes the retiree at the microphone of TF1, in the 8 p.m. news report visible at the top of this article. Since last week and the message sent by the operator, she and her husband are convinced that they are part of the 19.2 million customers whose personal data has been stolen. Last cyberattack in a long series, having affected France Travail, the Boulanger brand and the Old Age Insurance Fund in 2024 alone.
But actually, what happens to this information after it has been stolen? The author of the hack of the Iliad group, owner of Free, has already indicated that he had resold all this data for 160,000 euros. It will only take a few minutes for Clément Domingo, alias SaxX, to find 100,000 of them, freely accessible on the Internet. “The most critical information is banking data, including Iban and the famous BIC, which are used for a whole range of operations”indicates the self-proclaimed “gentle hacker”, an expert in cybersecurity and IT who helps hacked humanitarian NGOs.
-
Read also
Data theft at Free: customers' personal information (already) sold, announces the hacker
In front of his screen and in front of our camera, he demonstrates that fraudulent withdrawals can indeed be made from your bank account with this data alone: “We provide the various information, like here with Iban's number, and then, all that's left to do is pay. Look, an amount has been issued.”
Tiphaine Romand-Latapie, another cybersecurity expert, in this case on behalf of the specialized company Synacktiv, recommends, in such a case, immediately alerting your bank advisor: “The only thing you can do is be vigilantshe elaborates. So this means monitoring your account to check that there are no unauthorized withdrawals. By monitoring everything, even small amounts. It's important. For thirteen months, you can object and the money will be returned to your account.”
Generally, it is other pirates who buy stolen data, to make the investment profitable themselves by exploiting their content. “In view of the purchase price announced by the author of the cyberattack against Free, it is likely that the person who purchased the computer file will keep it for a short whilespecifies Baptiste Robert, alias fs0c131y, cybersecurity researcher and 'nice hacker', to TF1info. Then, the hacker will sell them at retail to other hackers, who will then resell them to others.” If 100,000 of these freshly stolen data are already accessible, it is because they had probably leaked in the past, which caused them to lose their value on this 2.0 black market.
-
Read also
Massive data leak at Free: how to react if you are affected?
All are intended to be used for attempted fraud, most often through identity theft, or as part of phishing campaigns. “Hackers will use banking information to personalize and make their scam attempts more convincingcontinues Baptiste Robert. People affected by a data leak will receive emails and text messages inviting them to click on a fraudulent link, with the aim of recovering their usernames and passwords, or other banking data. We will have to be extra vigilant.”
If the Banque de France ensures that the RIB leak (including in particular the Iban and the BIC) “is not risky in itself”because you must sign a direct debit mandate for someone to take money from your account, be aware that a fraudster can himself register as a direct debit issuer with a service provider payment services, to then falsify direct debit mandates to illegally obtained Iban. The scammer can also take out subscriptions and services paid for by direct debit. In any case, vigilance pays off even in these cases: everyone has a period of eight weeks to contest any direct debit, including after using a direct debit mandate, and thus be reimbursed, “unconditionally”underlines the Observatory on the security of means of payment (OSMP).