Cyber Incident Victim: Île-de-France Mobilités

On or around October 2, 2023, the service provider Worldline, which is responsible for securing payments and transactions for Île-de-France Mobilités, detected a cyberattack targeting the Île-de-France Mobilités Connect service. This service is a platform that allows users of the Parisian regional transit system to manage their travel passes and contracts, purchase and reload tickets, search for itineraries, and book carpooling trips through partner applications. The regional transport authority, Île-de-France Mobilités, which organizes and finances transport in the Paris region, was formally notified of the attack two days later on October 4, 2023. The attack involved an unauthorized actor fraudulently collecting approximately 4,000 active email addresses and passwords from the web. The attacker then used these stolen credentials in an attempt to gain fraudulent access to user accounts on the Île-de-France Mobilités Connect platform.

The exact date when the initial data collection occurred prior to the login attempts was not disclosed by the authority. Similarly, the specific timeframe between the collection of the credentials and their subsequent use in the intrusion attempts was not detailed in public communications. Île-de-France Mobilités did not confirm whether the accounts that were successfully accessed with the stolen passwords were subsequently used for any fraudulent activities following the breach. The scope of the incident was defined as affecting around 4,000 active user accounts, compromising their associated email addresses and passwords.

Upon being notified of the incident, Île-de-France Mobilités immediately engaged with Worldline, instructing them to take all necessary technical measures to terminate the ongoing fraudulent access attempts. This directive also included instructions to implement any additional measures required to further strengthen the security of the platform in response to the attack. The primary technical response involved forcing a password reset for all affected users to revoke the compromised credentials and prevent further unauthorized access using the stolen passwords.

The organizational response included formal legal and regulatory actions. In accordance with standard procedure for such incidents, Île-de-France Mobilités filed a legal complaint with the Prosecutor of the Republic for the fraudulent collection of data. The authority also fulfilled its obligations under data protection regulations by notifying the French National Commission on Informatics and Liberty, the CNIL, of the personal data breach. Île-de-France Mobilités committed to keeping the CNIL updated on any further developments in the situation as the investigation progressed.

Communication with the affected user base was a critical component of the response. Île-de-France Mobilités directly contacted the approximately 4,000 impacted users via a standardized letter. This communication informed them that suspicious logins had been detected on their accounts and that they would receive a separate email instructing them to reset their password immediately. The letter strongly advised users to change their passwords without delay. It also contained crucial advice on password hygiene, explicitly warning users that if they had employed the same compromised password for access to other applications or services, they should change those passwords as well to prevent credential stuffing attacks across other platforms.

The provided guidance on creating a secure password was detailed and specific. Users were advised that a strong password must be a minimum of 12 characters in length and include a combination of uppercase letters, lowercase letters, numbers, and punctuation marks or special characters. Furthermore, the guidance stipulated that passwords must be anonymous, avoiding easily guessable personal data such as birthdates or names, and must be renewed regularly. A key recommendation was that a unique password should be used for every different application and service to limit the impact of any single credential leak. The communication included references to external resources for further information on password security from the CNIL and the French National Cybersecurity Agency, ANSSI. For additional support, users were directed to contact the Navigo Agency customer service department.

The incident impacted a significant portion of the user base within a critical public transportation infrastructure system. Île-de-France Mobilités facilitates millions of daily journeys, overseeing a network that includes 1,500 bus lines, 14 metro lines, 9 tram lines, and 13 train and RER lines serving the Île-de-France region. The compromise of user credentials directly affected the digital services that customers rely on for managing their mobility, though the physical transport operations themselves were not reported to be disrupted. The primary consequence was the potential exposure of personal account information and the risk of subsequent misuse of those accounts for fraudulent purposes, though the extent of any such misuse was not confirmed. The response focused on containing the account access breach, mitigating further risk through forced password resets, and adhering to legal and regulatory reporting requirements.