The Econocom Group confirms a cybersecurity attack which is the subject of serious investigation and containment measures. The latest investigations show that the leaked information would originate from a service provider working on a few Econocom clients in France. No system or database internal to Econocom would be affected, and to date analysis of the exfiltrated data has not identified the disclosure of sensitive data.
On Sunday 20 August, via a Twitter post, a group of attackers claimed to have hacked into Econocom and began publishing data. No ransom demand has been received by the Group. A complaint is currently being filed.
As soon as Econocom Group Security team and Security Operations Center became aware of this incident, they immediately mobilized and launched the first investigations. As these did not reveal any malicious actions, the most plausible hypothesis was that this was a reminiscence of a previous attack on Econocom in 2020 (very old documents distributed), which has long been contained.
On Tuesday 22 August at around 3pm, Econocom noticed that more recent data had been exfiltrated and activated the cyber crisis mode: the exfiltrated data was found on two SharePoint shares for individual use (created using Teams). These files contain little data, and were isolated as soon as they were identified on Tuesday 22 August 2023, at 4pm and 6pm respectively. All access to these SharePoints has been blocked. Econocom SharePoint infrastructure also prevents any form of propagation to other systems. Analysis of the exfiltrated data has not yet identified any sensitive data.
On Wednesday 23 August morning, investigations revealed that a user workstation at an Econocom service provider in France was the source of the data leak. The service provider was immediately contacted to work with its teams to identify and block the source of the attack, and to analyze its full impact. The staff of this service provider, who connect to an Econocom resource via VPN to retrieve the documents they need to carry out their tasks, have been identified and their access to Econocom resources revoked. Investigations confirmed that the leaked data originated from a shared space at the supplier.
To date, the most plausible scenario is that the service provider has been compromised and the data exfiltrated from its infrastructure. However, investigations and containment measures are continuing at Econocom to ensure that no internal systems have also been compromised.
Any significant new developments will be transparently communicated to the Group's stakeholders, including the competent authorities.