Orange France has revealed that details of around 1.3m of its customers - including names, date of birth, phone numbers and email addresses - have been stolen by hackers. User reports on Facebook suggest that the data is already being misused by cybercriminals for phishing purposes.
This is the second time the French division of the international telco has been hit by a data breach, as back in March the company announced its `My Account' Web site had been hacked with the loss of 800,000 customer records.
This time around, Orange says that the theft took place on April 18, since when it has remediated the security issue and notified customers of the problem. The telco has stressed that no payment details have been stolen, but has warned customers to watch out for phishing emails, texts and phone calls.
Orange France is the largest of Orange's country operations, with around 26m cellular users, including 15m broadband and 23m landline customers as of the end of 2011. Ironically, this month marks the 25th anniversary of the global Orange brand.
Worryingly, as with the March breach, Orange has not said how the hackers gained access to its systems, so there are no corporate security lessons that can be learned.
The telco also says that it delayed announcing the breach for two weeks to allow it to assess the scale and ensure that any security gaps were sealed.
Some posters on Facebook have opined that the breaches may be due to an outsourcing agreement that Orange France has with a number of companies.
Looking at the telco's privacy agreement [ http://c.orange.fr/donnees-personnelles.html ] the company says that - under the French Data Protection Act of 1978 - data provided by customers may be used for the use of services on the Web portal, either by Orange, or by a third party company, if the service is proposed and operated by a third partner company.
The agreement says that, if the data is disclosed to a third-party company, users are asked to read the data policy of the third party.
This is rather difficult since Orange France does not actually reveal which third party companies it outsources to - or works with.
Commenting on the emerging data breach faux pas, Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, said that the fact that this is the second time around for Orange France suggests that the solution of hitting the company with an investigation and a financial penalty may no longer be enough.
"My experience of the security in [UK and] European telecoms companies confirms this is not an isolated incident, as these situations are often caused by the migration and/or integration of IT systems," he explained.
"The problem is made worse by the fact that, for most telcos in Europe, security is not their primary endeavour," he said, adding that this usually means that IT security is often retro-fitted to the systems concerned.
professor Walker, who is also a director of CSIRT & Cyber Forensics with Integral Xssurance, also questioned the involvement of the Data Commissioners in France in investigating this and the earlier incident at Orange France.
"My question would be, why isn't the Data Commissioner pro-actively talking to these people? My own experiences suggest that telcos are storing customer data for a lot longer than many people realise," he said, adding that he recalls an incident with one cellco where the company held customer payment details from several years previously.
Steve Smith, managing director of security consultancy Pentura, took the opposite view, saying that Orange has done the right things following the breaches.
It is, he added, worrying that the details of such a large number of customers were apparently unencrypted in the first place.
“This highlights how critical it is for businesses like retailers and telecoms firms to encrypt the volumes of consumers' personal data they hold, otherwise it's a potential goldmine for hackers,” he explained.