Orange, Europe's fourth largest telecom, has confirmed reports that personal information for 1.3 million customers have been compromised. The breach is the second one in three months, but notification was delayed so that the company could assess the true scale of the problem.
On April 18, Orange discovered that criminals acquired 1.3 million records, including names, email addresses, mobile and fixed telephone numbers, names of mobile and internet operators, as well as dates of birth.
In a statement, Orange correctly noted that the "data recovered could be used to contact those concerned by email, SMS or by phone, particularly for phishing purposes."
Earlier this year, Orange's customer website was compromised, leading to the exposure of more than 800,000 subscriber records, including emails, phone numbers, passwords, and addresses.
No financial data was compromised during the two attacks, but that isn't much comfort considering that the attackers walked away with more than enough to launch successful Phishing campaigns.
Socially-based attacks such as Phishing rely on information to be successful. The attack surface, such as email, SMS, direct dial phone calls, or social media, doesn't really matter.
Some attack surfaces will yield better results than others, that's certainly true, but it's the quality of the information used against the mark that really matters.
A letter, email, or phone call from a telecom company, with accurate account information, is likely to get more attention than a generic email using a company logo and a sense of urgency.
The delay in notification could have given the attackers a leg up, allowing them to use the information before the breach announcement. However, Orange hasn't stated if any of the compromised data has been misused. Likewise, third-party reports of such abuse haven't emerged.
Orange said that notification was delayed in order to fix the security issues that allowed the breach, and properly assess the scale of the incident.
Unfortunately, news of this latest breach comes after Orange's CEO, Stephane Richard, made a big deal over a data protection charter he signed, pledging to keep customer information safe.
These days it's a fact that information is a valuable commodity to criminals, and telecom data is often just as prized as financial data.
Last September, Vodafone Germany confirmed that 2 million customer records were compromised by an attacker with "inside knowledge." Phishing was a concern in the aftermath of that breach as well.