The personal data of clients of Free, one of France’s largest providers of phone and broadband internet contracts, has been found for sale on an underground online forum.
The firm confirmed the situation yesterday (September 14) after a popular online blog, called Zataz, ran an article about it.
The blog “corresponds to information linked to an incident identified in August by our monitoring systems,” said a Free spokesperson.
However, where the original blog post claimed the data of up 14 million customers was leaked and available for purchase, Free said the true number was much lower.
It said the information up for sale (people’s first and last names, email addresses and telephone numbers) corresponds to certain customers from the 18th and 19th arrondissements of Paris.
Data sold for ‘several hundred euros’
Cybersecurity expert Damien Bancal, who wrote the Zataz blog post, claimed the data was being sold for several hundred euros to those interested.
This is the price for the overall database containing the information.
Whilst his original post claimed the data of up to 14 million clients could be involved, he later said the databases contained the information of between 1,000 and 3,000 clients. This would correspond to the leak being contained within the two Parisian arrondissements.
Mr Bancal, who contacted a number of individuals whose information was contained in the database, said “All of them confirmed to me that they were or are Free customers.”
The leak is therefore thought to also impact former Free clients.
Read more: Watch out for new energy bill scam in France
Hackers sell data online
In its statement, Free said a secure space limited to “employee [only] access… had been compromised by a hacker.”
It has lodged a complaint and an official report with France’s data protection agency Commission nationale de l'informatique et des libertés (Cnil), as well as informing the affected customers.
The hacking and leaking of data sets such as this is a common issue not just in France but across the world – hackers steal information from companies and then sell it on the dark web (parts of the internet that cannot be accessed by search engines) to scammers.
Scammers then use the information to set up elaborate phishing schemes, gaining the trust of clients because they already have a lot of personal information on them at hand, and can more effectively pretend to be from a company or bank that person uses.
Recently, a style of ‘two-pronged’ scam has become popular with fraudsters in France.
Firstly, the bank details of an individual are collected, either by setting up a small payment for something (such as a €2 railcard) or through a phishing email.
A few weeks after this, scammers will then call victims pretending to be from their bank – using information taken as part of the first step – urging innocent victims to hand over compromising details to gain unfiltered access to their accounts.
We cover a number of scams of this type in an article you can read here.