Cyber Incident Victim: SFR

On September 3, 2024, French telecommunications operator SFR experienced a security incident involving unauthorized access to a customer order management tool. The breach impacted a subset of RED by SFR clients who had recently purchased a smartphone and mobile plan. Attackers exfiltrated personal data including full names, contact information (telephone numbers, email addresses, and physical addresses), order details, International Bank Account Numbers (IBAN), smartphone identification numbers, and SIM card numbers. SFR confirmed through customer notifications that the compromise did not extend to passwords, call history records, or SMS message content. The company terminated the unauthorized access following detection and implemented immediate security enhancements to authentication protocols for contact information modification requests.

SFR formally reported the incident to France’s National Commission on Informatics and Liberty (CNIL) and filed a criminal complaint with the Prosecutor’s Office. The operator established a dedicated helpline (0805.80.49.49) to assist affected customers, warning of potential phishing attempts leveraging the stolen data. Internal investigations confirmed the attackers exploited vulnerabilities specifically within the order management system rather than broader network infrastructure. While SFR declared the incident resolved with permanent containment measures, the breach exposed financial identifiers and device-specific details that could facilitate identity theft or SIM-swapping attacks against impacted individuals. The company did not disclose the exact number of affected customers or the intrusion’s duration prior to detection in its public communications.