An Orange supplier has suffered a cyberattack that has exposed “part of the sensitive information to which it had access to carry out the customer management activity for which it was hired,” the operator said in a statement sent to its users this Monday. The filtered data includes the name and surname, address, telephone, email, DNI, date of birth, nationality and the IBAN code of the current account.
Five years of WannaCry, the global cyberattack with NSA weapons
The operator has reported the events to the Central Technological Investigation Brigade of the National Police and has brought it to the attention of the Spanish Data Protection Agency. Orange sources have assured elDiario.es that the breach has affected “a limited number of customers”, although for the moment they have not been able to confirm the exact number. The company has almost 13 million customers in its mobile phone business.
The provider that has suffered the incident is dedicated to “debt collection” services, the same sources have explained. “From the moment the provider became aware of the incident, a plan was put in place to limit its scope, immediately proceeding to cut off access to our systems,” Orange told those affected.
Security breaches of this type carry a high risk of subsequent cyberattack against users whose information has been leaked. It makes it easier for criminals to impersonate Orange or any other company to extract other types of more sensitive data, such as bank passwords. By having very specific data about their victims, cybercriminals can gain their trust and lure them into falling for a scam.
We advise you to be especially careful in the coming months with emails, messages or calls for which you cannot confirm their origin or sender
National Institute of Cybersecurity
“If you have received the communication from the affected company, we advise you to be especially careful in the coming months with emails, messages or calls of which you cannot confirm their origin or sender, especially messages that request bank information or credentials. These messages could be fraudulent”, the National Institute of Cybersecurity (Incibe) has warned.
The Internet Security Office, dependent on Incibe, has sent an alert this Monday regarding the incident of the Orange provider that it described as “high” importance. The agency recommends users to search themselves on the Internet periodically to verify what information is published about them and request the removal of that which should not be. This action can be exercised free of charge through the Data Protection Agency.
From Orange they have also asked their customers to contact their bank if they detect any suspicious activity, as well as Incibe itself. “We are sorry for what happened and we put at your disposal the free telephone number 900901564 from 9 a.m. to 9 p.m. from Monday to Sunday, to answer any questions that may arise about this incident,” it has communicated to its affected clients.