A1 Telecom, Austria's largest internet service provider, suffered a major data breach on Tuesday, 8th of February. The threat actor behind the attack demanded half a million US dollars in Ethereum within 72 hours, or else he would release the data.
A1, a mobile network operating in Croatia and the region, reported to local Croatian newspaper, Index.hr*, that the breach has affected around 10% of its network subscribers – with names, addresses, phone numbers, and personal identification numbers (OIB) unlawfully snatched.
Victims demand pay-out
The hacker who claims to have broken into A1's systems has reached out to several media outlets via email, informing them of the situation. In his email to Index.hr, he claimed he had compromised the entire telecommunication system. He said he even forwarded part of its user database to A1 as evidence of the breach. A1, however, did not react.
In his written report to RTL.hr*, the hacker provides further details of his operation. According to him, A1 was fully aware of the hack for at least 6 to 7 days, and did nothing about it. "They didn't even bother to change the password of the account of an agent that I used to get access to their (A1) tools". Allegedly, only after more than a week of "messing" with their tools and extracting personal data, have A1 responded in any way.
In the meantime, many victims demanded that A1 pay him what he's asking for – $500,000 in cryptocurrency – so their data will not be exposed. Many local business owners expressed their worry over the sensitive data, mainly OIB, being abused. One of them said:
That's official email, official company OIB, you can use to order any type of service. You could order a 10,000 HRK (approximately $1,500) mobile device. I don't want to have to think about these dangers, and then something like this happens, and you're left with no choice.
A1 answered these concerns by saying that the stolen data makes up no more than 10% of the total number of all the users in its network, as well as that these data mainly include name, surname, address, and telephone number. They state that there's no reason for major concerns as "you still need significantly more data to order any service". Dubravka Štefanac Vinovrški, the Director of Corporate Communications at A1, said that no action from the users' side is required, as A1 has already taken the necessary security steps – like changing the passwords of all the users.
The last warning
After the Index.hr portal emailed the hacker and inquired about the outcome of his request, he said that A1 did not respond to any of his emails, including ones sent to high-ranking officials within the company. He then reminded A1 that after the 72 hours pass, he will make the database public. But if they pay him as per his request, he would take no further action. He also accused A1 of not sufficiently protecting user data.
Before the announcement, they did not inform me or answer my question. My request for 150 ETH was not filled in. It passed almost 48 hours, I gave them 72...
In the meantime, Croatian communication expert, Đuro Labura, commented for RTL portal* that he doesn't think it's a good idea to give in to blackmail, as this is an invitation to others with similar intentions.
At 11 PM on February 10, the hacker gave his final warning through Index.hr – stating he would give A1 another 20 minutes before making the database public.
After the 72 hours had passed, the hacker contacted Index.hr again, informing them he had published the data. When asked to provide proof he never replied or contacted them again. Still, it was obvious from his messages that he never received the 150 Ethereum ransom.
The Croatian data protection agency is currently investigating whether A1 took all the steps it could to protect the data of its users. If they find any lapse, A1 could be charged more than $10 million* or 2% of a company's annual global revenue, according to broadcaster HRT. If this happens, then all the affected users could also individually sue the company, however, they would have to be able to prove that they had been economically (or emotionally) damaged, as explained by Dijana Kladar, a Croatian lawyer and expert for user rights in the field of telecommunication.
While A1 remains confident in its claim that there's no reason for worry because the company collects and stores only basic user data (allegedly) which, according to them, can't be easily abused, we, at ProPrivacy, are far from reassured. After all, we've seen cases of threat actors doing major harm with significantly less data.
Thanks to the social media landscape we're currently stuck in, it's incredibly easy to find out almost anything about a person based on only a couple of pieces of basic information. To a skillful threat actor, only the name and address could be enough for unimaginable wrongdoings. Not to mention that, in Croatia, instances of suspicious online converters have already occurred in the past, turning one type of sensitive data into another, like OIB into JMBG.
We would, therefore, like to remind our readers, once again, to be extremely careful with personal data. Keep in mind that even trusted institutions and companies (like your ISP) often like to gather more info about us than is necessary for their business. Be confident enough to question their intentions and methods and limit their prying attempts. Because then, when/if a situation like this happens, you'll have significantly less to worry about.
* Source in Croatian language