Full Report
Regulator reports suggest telco was extorted, but company remains coy as to whether it paid French telco Eurofiber says cybercriminals swiped company data during an attack last week that also affected some internal systems.…
Analysis Summary
# Incident Report: Eurofiber Data Exfiltration via Vulnerability Exploitation
## Executive Summary
French telecommunications provider Eurofiber confirmed a cyberattack last week that resulted in the exfiltration of company data from its French operations, including its cloud division and regional brands. Attackers exploited a vulnerability within the company's ticket management platform to gain access and steal data, though the company insists banking details were not compromised. Response actions included immediate patching of the vulnerability and enhanced security measures, with regulatory bodies notified.
## Incident Details
- Discovery Date: November 13, 2025 (Implied, as the attack occurred last week relative to the Nov 17 report, and the disclosure mentioned Nov 13)
- Incident Date: November 13, 2025
- Affected Organization: Eurofiber France (including Eurafibre, FullSave, Netiwan, and Avelia)
- Sector: Telecommunications (B2B Wholesale)
- Geography: France (Primary impact)
## Timeline of Events
### Initial Access
- Date/Time: November 13, 2025
- Vector: Exploitation of a vulnerability in the ticket management platform.
- Details: Attackers leveraged a weakness in the ticketing system to access and steal stored data.
### Lateral Movement
- Details: Not explicitly detailed, but implied movement to access the data stored within the ticket management platform and potentially related internal systems.
### Data Exfiltration/Impact
- Date/Time: Following initial access up to detection/containment.
- Details: Company data stored within the ticket management platform was exfiltrated. Banking details or other critical data were reported as safe. Some internal systems, including those used by indirect sales and wholesale partners, were affected operationally.
### Detection & Response
- Date/Time: Initial detection on November 13, 2025. Disclosure published Sunday (Nov 16 or 17).
- Details: In the first few hours post-detection, the ticketing platform and the ATE portal were placed under enhanced security. The vulnerability was patched immediately. Affected customers were notified, and French agencies (CNIL and ANSSI) were reported to.
## Attack Methodology
- Initial Access: Vulnerability Exploitation (Ticket Management Platform).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, though the attack was successful for some duration.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified, focused on reaching data in the ticketing system.
- Collection: Gathering data stored in the ticket management platform.
- Exfiltration: Stealing the collected data.
- Impact: Data theft and limited operational impact on supporting systems.
## Impact Assessment
- Financial: Not explicitly stated, though regulator reports hint at extortion/ransom demand.
- Data Breach: Company data stored in the ticket management platform was stolen. **Excluded:** Banking details or other critical data.
- Operational: Limited impact; some systems used by indirect sales and wholesale partners were affected operationally. Customer-facing services remained fully operational.
- Reputational: Public disclosure made; potential reputational damage due to extortion reports, though the company remains coy on payment.
## Indicators of Compromise
- Network Indicators: Not publicly released (defanged).
- File Indicators: Not publicly released.
- Behavioral Indicators: Accessing and exfiltrating data from the ticket management platform.
## Response Actions
- Containment measures: Enhanced security placed on the ticketing platform and ATE portal immediately following detection.
- Eradication steps: The vulnerability in the ticketing platform was patched.
- Recovery actions: Teams, in collaboration with cybersecurity experts, are supporting clients affected by the incident. Customer-facing services restored to full operation quickly.
## Lessons Learned
- Critical systems like ticket management platforms, which may store sensitive support or customer interaction data, must be rigorously secured against known vulnerability classes.
- The immediate response prioritized patching the specific vector of compromise.
## Recommendations
- Conduct a comprehensive security audit of all third-party or custom-built platforms (like the ticket management system) to identify and remediate similar zero-day or known vulnerabilities.
- Review access controls and segmentation between support/ticketing systems and broader corporate networks to minimize the scope of potential data exfiltration during platform exploitation.
- Define and publicize a clear policy regarding extortion/ransom demands in future incidents.