Multiple French retail brands announce cyber attacks targeting their networks

Several French retail brands have announced that they suffered data security incidents in the first week of September that compromised the sensitive personal information of millions of customers.

 

On Monday, popular French electronics retailer Boulanger said that between September 6 & 7, it was a victim of a sophisticated data security incident that compromised the sensitive personal information of its customers.

 

“The data collected are only delivery addresses. No customer banking data is involved. The incident has already been contained and all of our customers have been informed,” the retailer posted on X, formerly Twitter. It added that its website and mobile application are working normally and weren’t impacted by the incident.

 

 

Cultura, a retailer of books, music, and arts supplies, also said that it suffered a cyber attack around the same time that might have compromised the confidential data of 1.5 million customers. The compromised data included names, phone numbers, email and postal addresses, Cultura customer IDs and order details.

 

Cultura, however, clarified that passwords and financial data including bank details were not accessed during the data security incident. The retailer has notified CNIL, the French data protection agency, and relevant law enforcement agencies and is working with them to resolve the issue at the earliest.

 

Other French retailers that suffered cyber attacks around the same time include gardening and home decor specialist Truffaut and clothing brand Pepe Jeans. It is unclear whether the retail brands faced a supply chain attack involving a common software vendor or whether they faced separate attacks.

 

Cultura said that the breach occurred after malicious actors infiltrated one of its databases after compromising an external IT vendor. It is unclear if the IT vendor provided services to the other retail brands that were compromised.

 

Recently, a threat actor using the moniker “horrormar44” claimed responsibility for the cyber attack on Boulanger and listed it as a victim on its data leak site. The threat actor claimed to be in possession of sensitive personal data of customers including their names, addresses, addresses, zip codes, phone numbers, images, email addresses, merchant ID, and more.