© Bloomberg/Getty Images
– The IBANs of more than 5 million customers have been stolen.
Data from 19.2 million clients de Free have been compromised. In mid-October, a cyberhacker stole the data of the majority of the French mobile operator’s 22.8 million subscribers. On October 30, he announced that he had sold them for $175,000 (approximately 160,000 euros). According to the hacker, the file mainly contained personal data: names, dates of birth, telephone numbers, email and postal addresses of customers. 5,1 millions d’IBAN (international bank account number) would also be affected.
To justify himself, Free explained that he had been “victim of a cyberattack targeting a management tool” Who “resulted in unauthorized access to part of the personal data associated with the accounts of certain subscribers”. A sample of the data was published by the hacker following the theft.
Hacking at Free: what are the risks for your banking data?
How do you know if you’ve been hacked?
Free directly contacted the subscribers concerned in a first wave of emails sent on October 25. In these emails, the mobile operator specifies the nature of the stolen data “associated (with) the subscriber account: surname, first name, email and postal addresses, date and place of birth, telephone number, subscriber identifier and contractual data (type of offer subscribed, date of subscription, active subscription or not)“. The operator specifies that“no password is affected”. Cybermalveillance.gouv affirms that, in accordance with the General Data Protection Regulation (GDPR), “Free must individually inform all people affected by this personal data breach”
What are the risks for victims of this type of hacking?
Following the cyberattack, victims particularly risk unauthorized withdrawals. Rest assured, it is difficult to withdraw money from a bank account from an IBAN. The Banque de France explains that “communicating your RIB (bank identity statement including IBAN) is not risky in itself (…) For a beneficiary to debit your account, you must authorize them by signing a direct debit mandate.”
However, the Observatory on the security of means of payment still recommends “check regularly” and of “update the list of authorized or prohibited creditor direct debits in your online banking space”. Cybermalveillance.gouv also recommends “ask your bank for reimbursement of any transaction of which you are not the author, as well as the removal of the direct debit authorization concerned if applicable”. The government website also recommends informing your bank “the disclosure of your IBAN so that it places the account concerned under enhanced vigilance”.
The French Banking Federation reminds that a direct debit challenge can be made “at the latest within 13 months from the debit date”. The time limit is reduced to “70 days when the establishment of the beneficiary of the payment is located outside the European Union or the European Economic Area”.
Other risks to watch out for: “phishing” and the “attempts at fraud or identity theft, hijacking of mobile telephone lines” specifies Cybermalveillance.gouv. To do this, you must remain vigilant against phishing attempts by email or telephone, do not provide a password and do not validate any banking transaction at the request of an advisor.
What recourse can you have after being hacked?
Victims of the cyber attack can file a complaint with the CNIL (National Commission for Information Technology and Liberties) if they consider that their personal data has not been sufficiently protected by Free. If the stolen information is used, the people concerned can file a complaint at the police station or gendarmerie brigade.
For his part, Free indicated that “this attack was notified to CNIL and the National Information Systems Security Agency (ANSSI). A criminal complaint was also filed with the public prosecutor.said the telephone operator in an email addressed to subscribers.
