Cyber Incident Victim: Easy Cash

On 16 April, Easy Cash announced via email to its customers that it had suffered a cybersecurity incident localized on the computer of one of its stores. The company stated that the incident potentially led to unauthorized access to certain personal data. Specifically, names, first names and dates of birth of customers could have been consulted by the attackers. Easy Cash emphasized that no banking data, passwords or means of accessing customer accounts were affected. The firm said it had immediately taken the necessary measures to contain the incident and reinforce the security of its systems. It also filed a complaint and notified the competent authorities. According to researcher Clément Domingo, a database belonging to Easy Cash was found for sale on the dark web, potentially concerning 13.6 million users and offered for 4,000 dollars. Domingo noted that, at the time, there was no proof linking this database to the cyberattack. A spokesperson for Easy Cash, speaking to 01net, said that fewer than 100,000 people had actually been affected. The spokesperson specified that the incident could have allowed the retrieval of personal data of 92,000 customers and of the store’s employees. To date, Easy Cash reported that no fraudulent use of the disclosed data had been observed. The company said it continues to work closely with its experts to analyse whether any new elements have emerged.

The Easy Cash incident occurred amid a rise in cyberattacks targeting French companies. On 18 April, the parking specialist Indigo reported a cybersecurity incident in which emails, names and postal addresses were accessed. Two days before the Easy Cash alert, the optician chain Alain Afflelou suffered a data leak via one of its service providers. These events illustrate the broader threat environment in which Easy Cash operates. No further details about the attackers or their motives were disclosed in the sources.