Free was “the victim of a cyberattack targeting a management tool” leading to “unauthorized access to part of the personal data associated with the accounts of certain subscribers,” the second largest telephone operator in France announced on Saturday. Here's what we know.
What did Free announce?
In an email sent to its Free Mobile and Freebox subscribers, Free returns to this “cyberattack”: it “led to unauthorized access to part of the personal data associated with your subscriber account: name, first name, email and postal addresses, date and place of birth, telephone number, subscriber identifier and contractual data (type of offer subscribed, date of subscription, active subscription or not)”.
“No password”, “no bank card”, “no content of communications (emails, SMS, voice messages, etc.)” are affected by this attack, neither the date nor the extent of which have been specified, added the company. “No operational impact has been noted on (its) activities and (its) services.”
The number of subscribers affected is not specified. The operator has around 20 million subscribers in France (15 million mobile subscribers and 5 million fiber subscribers).
How did Free react?
“All necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems,” assures Free, and “a criminal complaint was filed with the Public Prosecutor.”
The National Commission for Information Technology and Liberties (Cnil) and the National Information Systems Security Agency (Anssi) have been notified, as provided for by law. The operator has set up a toll-free number, 0 805 921 100, reachable from 9 a.m. to 6 p.m.
A month ago, its competitor SFR announced that it had been hit by a similar cyberattack.
What about IBANs?
In some versions of the email sent to subscribers – but not in all – it is also specified that the IBANs (for “International Bank Account Number”) have been stolen. These extended codes, present on Bank Identity Statements (RIB), identify account owners and are provided by customers when subscribing to a service for payment.
“Communicating your RIB is not risky in itself. Indeed, for a beneficiary to debit your account, you must authorize them by signing a direct debit mandate,” recalls the Banque de France on its site.
Should you be careful?
“We invite you to be extremely vigilant regarding the risk of fraudulent emails, SMS or calls. Please note that our advisors will never ask you for your passwords orally,” Free reminds its subscribers. In any case, we must be extra vigilant in the face of increasingly frequent phishing campaigns.
Among the first possible things to do, change the password for your Free account, even if officially it has not been stolen. Likewise, you can ensure that double authentication is active to access your account. This pairs the password with a security code sent by SMS to your phone.
Concerning the IBAN – which cannot be changed unless you close your account – customers are recommended to monitor their bank statements and track unusual charges. If such a withdrawal takes place, even though you have not signed any mandate, the bank will be required to reimburse you.
France
