Several French brands, including Boulanger and Cultura, have admitted in recent days to having suffered a cyber attack that allowed one or more hackers to steal personal data from their customers. British and American companies are also affected by this wave of reports of data theft, the details of which are still unclear.
Since August 31, an Internet user has been distributing samples of personal data files on the discussion forum BreachForums (specialized in the purchase and sale of pirated data), which he increasingly claims to have stolen from companies.
He is also selling these files, which he says come from the Boulanger brand, but also from Cultura, the Truffaut garden centre and the Pepe Jeans clothing brand.
Telephone numbers and postal addresses
All the samples offered by the alleged hacker contain the name and surname of the victims, but also postal addresses, email addresses and telephone numbers, mobile or not. According to the findings of the WorldIn some cases, data associated with customer purchases also appear to appear. In at least one sample, it is even possible to find a generic photograph of the product potentially purchased by a customer, hosted on the target company’s online store.
All of this data appears to be information from databases intended for delivery subcontractors. In the case of Boulanger, for example, we found columns (not indicated here) where it was possible to indicate the presence or absence of a parking lot near the delivery address.
Boulanger, who admitted on Sunday, September 8, to having been the victim of a data theft, initially claimed that the stolen information was “delivery addresses only”before admitting that phone numbers and email addresses had also been collected. Speaking to Next magazine, the company says that this leak “It only concerns a few hundred thousand customers.” The hacker claims to have stolen the data of more than 27 million people, but has not provided any evidence.
Specific service providers?
For its part, Culture announced on Tuesday, September 10 that “The personal data of around 1.5 million of our customers was affected” for a similar attack. “This includes last name, first name, Culture customer ID, mobile phone, email and postal address, as well as information about the products purchased”The brand explained in a press release. Other French brands are concerned, including the Dijon transport authority, Divia Mobilité, but also online retailers.
Where does this data come from? In its press release, Cultura announced that the cyber attack affected a “third-party IT service provider”. Contacted by The worldThe Internet user who claims to be the author of these hacks did not want to specify how he had fraudulently obtained this personal data, limiting himself to explaining that his target was delivery management systems. Requested by The worldBoulanger declined to say whether the data breach was linked to a service provider or a specific delivery management solution.
