Marie-Madeleine Sabbi, a Free subscriber, expresses her anxiety over the recent data breach affecting 19.2 million customers, including her and her husband. Cybersecurity experts reveal that stolen data, including sensitive banking details like IBAN and BIC, are often sold and used for fraudulent activities. People are advised to monitor their accounts closely for unauthorized transactions and to report any suspicious activity to their banks promptly. Despite safeguards, fraudsters can exploit stolen data, making vigilance essential in preventing financial harm.
Marie-Madeleine Sabbi, a Free subscriber, quickly came to realize the situation. ‘Can you imagine the anxiety we live with? Being afraid to open an email or answer a phone call… It’s the unknown. Someone has all your personal details, but you have no idea who they are’, she expressed on TF1’s microphone in a report. Since last week, following a message from the operator, she and her husband believe they are among the 19.2 million customers whose personal data has been compromised. This latest cyberattack is part of a long chain that has affected organizations like France Travail, Boulanger, and the Caisse d’assurance-vieillesse, just this year.
But what actually happens to this stolen information? The hacker responsible for breaching the Iliad group, which owns Free, has already disclosed that he sold all this data for 160,000 euros. Within minutes, Clément Domingo, known as SaxX, found 100,000 of these records available online. ‘The most critical information includes banking details, such as IBAN and BIC, which are essential for various transactions’, noted this self-proclaimed ‘white hat hacker,’ who specializes in cybersecurity and assists humanitarian NGOs that have been hacked.
In front of his screen and our camera, he demonstrated that fraudulent withdrawals can occur on a bank account using just this kind of information: ‘You simply enter the required details, like the IBAN number, and then you just have to pay. Look, a transaction has been processed.’
Tiphaine Romand-Latapie, another cybersecurity expert from the company Synacktiv, recommends immediate action in such cases: ‘The one thing you can do is stay vigilant’, she elaborated. ‘This means monitoring your account for any unauthorized transactions, including even small amounts. It’s crucial. You have thirteen months to contest such transactions and reclaim your funds.’
Typically, it is other hackers who purchase stolen data to profit from it themselves. ‘Given the sale price stated by the hacker behind the Free breach, it’s likely that the buyer will hold onto that database for a while’, explained Baptiste Robert, alias fs0c131y, a cybersecurity researcher and ‘white hat hacker.’ ‘Eventually, the hacker will sell the information in segments to other hackers, who in turn may sell it to yet others.’ If 100,000 of these recently stolen data pieces are already accessible, it’s likely they had previously leaked, diminishing their value in this 2.0 black market.
All this data is intended for use in fraudulent schemes, often involving identity theft or phishing campaigns. ‘Hackers will use banking information to tailor their scam attempts and make them more credible’, Robert continued. ‘Individuals whose data has been leaked will receive emails and texts urging them to click on a fraudulent link, aiming to steal their credentials or other banking information. Increased vigilance is crucial.’
Although the Banque de France states that leaking bank details (including IBAN and BIC) ‘is not inherently risky’ since authorization is needed for withdrawals, be aware that a fraudster can register as a payment service provider to falsify withdrawals from illegally obtained IBANs. The scammer can also sign up for subscriptions and services that are billed through withdrawals. Regardless, maintaining vigilance is paramount: individuals have eight weeks to contest any deductions, even after the use of an authorization mandate, and can request a refund ‘without conditions’, according to the Payment Security Observatory (OSMP).