Cyber Incident Victim: Netia
Date:
Jul 2016
Location:
Poland
Summary
A Ukrainian hacker breached Poland's second-largest telecommunications provider, compromising extensive customer and corporate data. The attacker exfiltrated approximately 14GB of information including personal details (names, addresses, phone numbers), email addresses from multiple domains, transaction records, and critical session IDs enabling unauthorized account access. While the company asserted limited data exposure and maintained password security, independent researchers verified significantly broader impacts—particularly noting session identifiers that circumvent authentication—alongside sales databases and system logs. The stolen datasets were publicly leaked on underground forums, containing client communications, service contracts, and device information spanning multiple business units.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 7, 2016, at 11:03 a.m. local time, Ukrainian hacker "Pravy Sektor" breached Polish telecommunications provider Netia, targeting the investor.netia.pl domain and main website netia.pl. The attack disrupted public access to Netia's primary web portal until late that evening. Company spokeswoman Lidia Marcinkowska confirmed hackers accessed two types of web forms used for customer inquiries and contract sign-ups, potentially compromising associated client data. Netia issued a press release asserting that only limited data was exposed, specifically maintaining that NetiaOnline portal credentials remained secure and that customer/partner information was under expert protection. Independent cybersecurity researchers from Hacked-DB subsequently discovered the hacker had posted approximately 14GB of stolen data on underground forums, contradicting the company's minimal impact claims.
Analysis by Hacked-DB's Yogev Mizrahi and Oren Yaakobi revealed multiple compromised SQL databases containing sales records with Blue Media transactions, device/product offers, IP Block Lead, and IP TradeDoubler data. One SQL file contained 342,000 entries with personally identifiable information including full names, home addresses, and IP addresses last updated in 2014. Additional leaked records exposed client publication details encompassing email addresses, phone numbers, and physical locations. A 9GB log file exposed session IDs, user agents, browser types, and operating system data, while email address leaks totaled 615,525 unique entries—including 150,440 from Poland's Wirtualna portal, 118,989 Gmail accounts, and 64,000 O2 user addresses. Researchers emphasized the critical risk posed by exposed session IDs, which could enable unauthorized authentication without password requirements. Netia maintained its infrastructure protections despite evidence of extensive data extraction spanning commercial transactions, customer databases, and system logs.