Full Report
Eurofiber France annonce qu’un incident de cybersécurité a été détecté le 13 novembre 2025. Il concerne la plateforme de gestion des tickets utilisée par Eurofiber France et ses marques régionales (Eurafibre, FullSave, Netiwan, Avelia), ainsi que le portail client ATE, qui correspond à la division cloud d’Eurofiber France opérant sous la marque Eurofiber Cloud Infra France. Une vulnérabilité logicielle de cette plateforme a été exploitée par un acteur malveillant, entraînant l’exfiltration de données liées à ces plateformes. Eurofiber France announces that a cybersecurity incident was detected on November 13, 2025. It involves the ticket management platform used by Eurofiber France and its regional brands (Eurafibre, FullSave, Netiwan, Avelia), as well as the ATE customer portal, which corresponds to Eurofiber France’s cloud division operating under the Eurofiber Cloud Infra France brand. A software vulnerability in this platform was exploited by a malicious actor, resulting in the exfiltration of data related to these platforms.
Analysis Summary
# Incident Report: Eurofiber France Data Exfiltration via Ticket Platform Vulnerability
## Executive Summary
A cybersecurity incident was detected at Eurofiber France on November 13, 2025, stemming from the exploitation of a software vulnerability in their internal ticket management platform and the ATE customer portal. This exploitation led to the exfiltration of associated customer data. Eurofiber contained the issue rapidly by patching the vulnerability and reinforcing security, while services remained operational. Regulatory bodies were notified, and customers are being supported.
## Incident Details
- **Discovery Date:** November 13, 2025
- **Incident Date:** Began prior to or on November 13, 2025 (Detection date implies the start of the response)
- **Affected Organization:** Eurofiber France and its regional brands (Eurafibre, FullSave, Netiwan, Avelia), and Eurofiber Cloud Infra France (via the ATE customer portal).
- **Sector:** Telecommunications/Cloud Services
- **Geography:** France
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, but detected on November 13, 2025.
- **Vector:** Exploitation of a software vulnerability.
- **Details:** A malicious actor exploited a software flaw present in the ticket management platform and the ATE customer portal.
### Lateral Movement
- *Not explicitly detailed in the provided text, but implied movement to access and exfiltrate data associated with the affected platforms.*
### Data Exfiltration/Impact
- **Date/Time:** Occurred between the initial compromise and detection/containment.
- **Details:** Exfiltration of data related to the ticket management platform and the ATE portal occurred. Sensitive data like banking details or critical data in *other* systems were confirmed **not** affected.
### Detection & Response
- **Date/Time:** Detected November 13, 2025. Remediation actions began "in the first hours following detection."
- **Details:**
1. Ticketing platform and ATE portal placed under enhanced security.
2. The exploitation vulnerability was promptly patched/corrected.
3. Additional measures implemented to prevent further data leaks.
4. Incident reported to CNIL and ANSSI.
5. Complaint for extortion filed.
6. Customers informed immediately and support processes initiated.
## Attack Methodology
- **Initial Access:** Exploitation of a known or zero-day software vulnerability.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed, but likely required to access specified data.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed, but access spanned the ticket platform and the ATE portal.
- **Collection:** Data related to the ticket management and ATE portal customers was gathered.
- **Exfiltration:** Data was successfully exfiltrated via the exploited vulnerability path.
- **Impact:** Data breach/leakage tied to platform usage data.
## Impact Assessment
- **Financial:** Not specified, but legal and remediation costs are incurred. A complaint for extortion was filed.
- **Data Breach:** Data related to customers using the Eurofiber France ticket management platform and the ATE customer portal was exfiltrated. Banking details and critical data in other systems were *not* affected.
- **Operational:** Services remained fully operational throughout the attack; business continuity goals were met.
- **Reputational:** Public disclosure and regulatory reporting required.
## Indicators of Compromise
- *No specific technical IoCs (IPs, hashes) were provided in the summary.*
- **Behavioral Indicators:** Unauthorized access and subsequent data transfer originating from the compromised tickering platform/ATE portal environment.
## Response Actions
- **Containment Measures:** Enhanced security measures applied to the ticketing platform and ATE portal; immediate patching of the exploited software vulnerability.
- **Eradication Steps:** The root cause (vulnerability) was fixed.
- **Recovery Actions:** Cybersecurity experts engaged; customer support and notification processes initiated.
## Lessons Learned
- The criticality of timely patching for centralized platforms like ticket management systems and customer portals (ATE).
- The need for comprehensive segmentation to prevent data exfiltration impact from being platform-wide.
- Services maintained operational integrity despite the data breach, indicating successful resilience measures for core business functions.
## Recommendations
- Conduct a full audit and penetration test on the patched software platform to ensure no secondary vulnerabilities remain.
- Review access controls and monitoring specifically around the ticket management and ATE infrastructure to ensure rapid detection of unusual bulk data access or egress activity.
- Review logging retention policies for critical platforms to aid in faster root cause analysis for future incidents.