French media report that Orange France was targeted by unknown attackers on 16th January, with the attackers seemingly gaining access to the accounts section on the Orange website.
Orange has since told PCInpact that the “My Account” portal on the website was hacked and added that three percent of customers (that's approximately 800,000) were compromised.
The section was promptly closed and the security flaw was corrected within hours. The personal information is said to have included names, postal and email address, as well as phone numbers. Although passwords were not affected, the company has nonetheless urged users to change their password in an email sent out to affected customers.
One of the main risks of such a breach is that criminals could use the stolen details to carry out further attacks, such as spear-phishing attacks or phishing attacks to steal more sensitive information, such as banking credentials.
Tim Holman, CEO of 2-sec and president of ISSA UK, pointed to Orange's spotty record in regard to data breaches (the firm also suffered a huge email data breach in 2010), and said that the attack is likely “some sort of SQL injection”.
“The anatomy of the attack appears to be something wrong with the "My Accounts" page, for French customers, which suggests some sort of SQL injection attack being used to exfiltrate hundreds of thousands of customer records,” he told SCMagazineUK.com.
“Given the volume of exposed records, then SQL injection is very likely, as opposed to cross site scripting, broken authentication/session management.”
Brian Honan, founder and analyst at BH Consulting, concurred that the issue likely arose due to vulnerability on the Orange website.
From a business perspective Orange France should ensure that all areas of their online presence are regularly tested for security vulnerabilities, that anyone involved in developing their online presence is fully aware of how to develop code in a secure manner, and that their incident response plans are reviewed as a result of this breach to see what areas, if any, should be improved,” he told SCMagazineUK.com.
“Indeed, all companies should pay heed to this security breach, and breeches in other companies, to see what lessons can be applied to their own environment.”