Orange data breach underlines need for encryption, say experts

The theft of 1.3 million French customer records from mobile operator Orange, underlines the need for organisations to encrypt data, say security industry representatives.

This is the second time the French branch of the company has been hit by a data breach, with 800,000 customer records stolen in January.

It is the latest in a string of breaches involving customer data, with victims including US retailers Target and Sears, and Vodafone Germany.

The company has not admitted the data was not encrypted, but a warning that the stolen data may be used for phishing purposes indicates the data was stored in clear text.

In the latest breach, attackers are believed to have accessed a database of customer details including name, email address, phone number, internet service provider, and in some cases, date of birth.

Orange France discovered the attack on 18 April, but reportedly delayed a public announcement of the breach to assess the damage, repair its systems and inform affected customers.

“It is worrying that the details of such a large number of customers were apparently unencrypted,” said Steve Smith, managing director of data security firm Pentura.

“The company has stated that the data has already been used in phishing attacks, to try and trick people into revealing further information,” he said.

According to Smith, the breach highlights how critical it is for businesses such as retailers and telecoms firms to encrypt the volumes of consumers’ personal data they hold.

There is no telling how long the adversary had already been inside Orange’s systems

George Anderson, Webroot

“Otherwise such databases are potential goldmines for hackers,” he said.

George Anderson, director at security firm Webroot, said phishing remains the most prevalent attack. According to the firm's research it accounts for more than 55% of successful breaches.

“Victims just do not realise how sophisticated these attacks now are. Most phishing sites are ‘live’ for just a few hours and the phishing attack is often indistinguishable from genuine communications and requests,” he said.

Anderson said customers of Orange France should remain vigilant and double-check the source of any emails, unknown phone calls and SMS messages.

“Businesses have a duty to remain vigilant and be highly responsive in warning their customers of any risks as soon as they occur, because even the smallest incident opens the door to a cyber attack,” he said.

Tony Caine, European vice-president and general manager for HP enterprise security products, said the frequency and close proximity of the attacks also demonstrates the importance of a layered security infrastructure.

“While the attack has now been resolved, there is no telling how long the adversary had already been inside Orange’s systems,” he said. 

According to HP research, it takes 243 days on average for an organisation to detect a breach.

Such breaches are becoming increasingly common, particularly in France, where companies typically experience 26 successful attacks a week, according to HP research commissioned in 2013.

The study also found that the average annual cost of cyber crime for French businesses was £3.18m.

The average cost of the worst breach for large UK organisations is £600,000 to £1.15m, up from £450,000 to £850,000 a year ago, according to the 2014 Information Security Breaches Survey.

The report, launched at Infosecurity Europe 2014 in London, was conducted by PricewaterhouseCoopers (PwC) and sponsored by the Department for Business Innovation and Skills.

The cost of data breaches for smaller businesses with fewer than 250 employees has roughly doubled to between £65,000 and £115,000, up from £35,000 to £65,000 a year ago.