Cyber Incident Victim: Auchan

On November 19, 2024, Auchan Retail announced it had suffered a cybersecurity incident involving unauthorized access to a portion of its customer loyalty program data. The breach exposed personal information linked to customer accounts, including full names, email and physical addresses, telephone numbers, dates of birth, loyalty card numbers, and available loyalty reward balances. Family composition details were also compromised if voluntarily provided by customers. The company confirmed financial data such as bank details, passwords, and PINs remained unaffected. Auchan stated it implemented "all necessary measures" to terminate the attack and reinforce its information systems, including enhanced monitoring for suspicious loyalty reward redemptions. The incident impacted "several hundred thousand" customers and was reported to France’s data protection authority, the CNIL. Affected clients received direct email notifications advising heightened vigilance against potential phishing attempts, fraudulent calls, or SMS scams leveraging the stolen data.

The breach heightened risks of personalized phishing campaigns and impersonation scams, as attackers could exploit the exposed data to pose as legitimate representatives offering fake loyalty rewards. This incident followed a documented pattern of loyalty card system targeting, with a September 2023 report by *60 Millions de Consommateurs* highlighting similar breaches affecting Auchan, Carrefour, and Super U customers, where attackers drained loyalty balances after selling data on the dark web. Historically, Auchan’s global operations faced multiple cyber incidents, including an August 2024 attack on its Spanish subsidiary Alcampo (without data leakage), a 2023 breach at its Russian division resulting in 437 MB of stolen data, and exposure to the 2017 WannaCry ransomware. The company reiterated no financial or credential data was compromised in this latest event but emphasized ongoing threats to customer loyalty systems.