The Voyageurs du Monde travel agency was the victim on May 16 of a cyberattack claimed by the Lockbit group, which stole the personal data of around 10,000 customers. “Cybercriminals penetrated our computer network by obtaining the password of one of our collaborators, without our knowing how, and managed to encrypt it, depriving us of access and stealing personal data from around 1% of our customers,” CEO Jean-François Rial told Le Point.
Very active in recent months, this group is known to encrypt company data and demand a ransom. In the case of Voyageurs du Monde, which refused to dialogue with the hackers and to know the amount of the ransom, the criminal group claims to have published on the darknet “10,000 passports and tons of confidential data”.
“They took 10,000 photocopies of passports from us, but without their biometric data, nuance Jean-François Rial. This only concerns group activities and communities, and not individual customers. Other data, “irrelevant” according to the CEO, was also stolen. These are “membership forms, or contracts between service providers and suppliers”.
The company, which wants to be reassuring, claims to have restored the operation of its network after six days, and has filed a complaint.
If you are concerned, or ever have to deal with the theft of your personal data as a result of a cyberattack, here are the steps to take, in order of priority.
To react adequately to a cyberattack, you must first be sure of the nature and sensitivity of the stolen information. These do not all have the same value for hackers: a social security number, for example, is not of much use to them.
For this, it is up to the attacked company to inform you. The latter is indeed required by law to inform you of the theft of your data and to specify its nature, provided that it has succeeded in identifying it. Cyberattacked last year, the Corbeil-Essonnes hospital could not assess precisely who had been targeted, and what data was concerned, and had to write to all of its patients to warn them, for lack of being able to sort .
This is the most problematic case of personal data theft, as it can allow crooks to steal your identity. In the case of Voyageurs du Monde, according to Jean-François Rial, “the police recommend not to file a complaint or even to change your passport, because the biometric data has not been stolen, which limits the risk of usurpation of ‘identify “.
Nevertheless, the expertise director of the government platform cybermalveillance.gouv.fr Jean-Jacques Latour recommends him to request the renewal of his passport and to file a handbook to protect himself from any risk. “A passport, an identity card, a tax notice or a payslip can allow cybercriminals to take out consumer credit, buy a telephone line and use it for various types of traffic, or even to register vehicles in your name, leaving you the fines to pay, explains the cybersecurity specialist. Precautionary measures must therefore be taken. »
Thus, if you are informed of the theft of an identity document, it is recommended to file a logbook and request the renewal of the document, in order to leave an administrative trace to be asserted in the event of usurpation.
In the case of Voyageurs du Monde, however, this perspective seems unlikely: to apply for consumer credit, for example, a single piece of identification is not enough. It would also be necessary for the scammer to have in his possession a tax notice or proof of address to deceive the bank.
But to avoid this kind of unpleasant situation as much as possible, Jean-Jacques Latour recommends limiting the data sent to companies, and above all marking identity documents before sending them. By printing and annotating the photocopy of his passport before scanning it, specifying for example the date of sending and its recipient, you effectively limit the use that can be made of it by a cybercriminal.
The operation can also be carried out digitally, provided that the annotated version is sent in PDF format to prevent any subsequent modification in the event of data theft.
If it turns out that you are the victim of identity theft, you must file a complaint each time an action is carried out in your name. Several people can indeed use your identity at the same time for fraudulent purposes: it will be easier for the police to have different complaints for each fact. These complaints will also be used to assert your situation if you are asked for undue payments.
In the event of a situation that is too difficult to manage, do not hesitate to seek support from consumer associations, such as UFC Que Choisir, which can assist you with the administrative formalities. In the event of too serious usurpation, a specialized lawyer can also be useful.
“You have to oppose it immediately,” explains Jean-Jacques Latour, while warning your bank of the theft and the risk of fraud on your bank account.
You must quickly change the password of the account in question, as well as those of all the other accounts on which it is used.
It is also formally not recommended to use the same password for several sites: rather use a password manager, like KeePass, free and recommended by the National Agency for Computer Security (Ansi). This will generate secure passwords to limit the risk of attacks on your accounts, without you needing to remember each one. Antiviruses also offer this type of password managers in their paid version.
If it can be scary, “with an IBAN, a scammer can’t do much, reassures Jean-Jacques Latour. He could request direct debits from the bank, but you can object if you notice an undue debit”.
You must therefore monitor your bank account, and do not hesitate to call your advisor in the event of a suspicious movement. If money has indeed been debited from you fraudulently, the bank is obliged to reimburse you as long as you have not provided your secret code. The Perceval platform has been put online to identify all these types of fraud: do not hesitate to report any fraudulent direct debit there, even if it only concerns a small sum. This allows law enforcement to better combat cybercrime.
The main risk in the event of theft of this type of data is in fact targeted phishing: a scammer may try to call you pretending, for example, to be your bank adviser, thanks to the information obtained from the data theft.
To guard against this, recommends Jean-Jacques Latour, “do not hesitate, in case of doubt, to hang up and call back the organization from which he is claiming on his official number, in order to verify that the call is legitimate and not a scam”.
Also, never give out a password over the phone.
“There is not much to do except change your phone number, observes Jean-Jacques Latour. It is not very risky, but you must remain vigilant against spam, and never click on a link received by SMS from an unknown number, or claiming to be from an organization of which you are not sure. »