Cyber Incident Victim: Sofinco

Sofinco, a Crédit Agricole subsidiary specializing in consumer loans, notified customers on October 16 of a data leak resulting from a security breach in its computer systems. The company detected unauthorized access that led to the exfiltration of sensitive personal data, though it did not disclose the exact date of the initial breach discovery. Exposed information included postal addresses, banking details, and copies of identity documents. Sofinco attributed the incident to a security failure at one of its partners, emphasizing that only a "tiny number" of its 11 million customers were affected. The company implemented security patches on its systems promptly after identifying the breach. It did not specify whether law enforcement was involved or if the attackers were identified.

The compromised data's sensitivity elevated risks for impacted customers, particularly through personalized phishing campaigns via email or SMS. Malicious actors could exploit the information to impersonate advisors and orchestrate loan scams. Sofinco did not confirm whether any fraudulent activity had already occurred using the stolen data. This incident followed a cyberattack three weeks earlier against Meilleurtaux, another consumer credit broker, which also exposed client financial details. Earlier in the same year, Crédit Agricole faced a separate cyber incident involving a denial-of-service attack that disrupted its digital services. Sofinco's breach underscored persistent vulnerabilities in financial sector partnerships but did not reveal systemic weaknesses in its parent company’s infrastructure.