In the latest security breach, hackers managed to seize the names, email addresses, phone numbers, dates of birth and other information related to a jaw-dropping 1.3 million current and potential customers.
Orange says that it detected the hack against a platform used by the company to send promotional emails and text messages on April 18th, but has kept quiet until this week as it wanted to ensure that the security holes used by the attackers to breach the phone company’s systems had been patched.
An obvious concern is that the attackers could use the information in phishing attacks targeting Orange’s current and potential customers, creating convincing-looking emails which might fool the unwary into believing they are legitimate messages from the telecoms company.
Earlier this year, Lisa Vaas reported for this site that the personal data of 3% of Orange’s customers – a little less than 800,000 people – was “chiseled out of its databases”.
Reuters reports that the hacks are particularly embarrassing for the telecoms company’s CEO Stephane Richard, who has been taking a strong public stand on data security and privacy:
At a company event in November showcasing Orange’s innovations, Richard signed a charter on data protection in which Orange pledged to always keep its customers’ information safe, among other engagements.
To massively misquote Oscar Wilde: “To lose your customers’ data once may be regarded as a misfortune; to lose it twice begins to look like carelessness.”
Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.
I think some time needs to be spent on explaining that security enforcement isn't purely the realm of the security team, but that it is everybody's responsibility.