Cyber Incident Victim: Direct Assurance
Date:
Jan 2024
Location:
France
Summary
A subsidiary of Axa experienced a data breach through a supplier compromise, exposing personal information of 15,000 clients (approximately 1% of its user base). Stolen data included names, birthdates, postal and email addresses, phone numbers, and IBANs, with banking details specifically compromised for 5,800 individuals. The company notified affected customers, issued apologies, provided prevention guidance, and reported the incident to the French data protection authority. While no legal complaint was filed initially, authorities highlighted risks of fraudulent withdrawals or IBAN misuse using the stolen financial identifiers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Direct Assurance, a subsidiary of the Axa insurance group, experienced a data breach impacting 15,000 clients following a cyberattack targeting one of its suppliers. The incident occurred when an unauthorized actor compromised the supplier's IT system, gaining access to sensitive customer information. Stolen data included full names, dates of birth, postal addresses, email addresses, telephone numbers, and bank account identifiers (IBANs). An updated statement from Direct Assurance clarified that IBANs were specifically compromised for 5,800 individuals within the broader group of 15,000 affected customers. The company emphasized that this represented approximately 1% of its total client base. Direct Assurance confirmed direct notification of all impacted individuals to inform them of the breach, apologize, offer support services, and provide preventive guidance. The National Commission for Information Technology and Civil Liberties (CNIL) was notified in compliance with legal obligations stemming from the breach's scale. No legal complaint had been filed by Direct Assurance as of the latest reporting date in November 2024.
The breach exposed victims to heightened risks of financial fraud and identity theft due to the nature of the stolen data. Compromised IBANs specifically created potential for fraudulent direct debit authorizations or unauthorized payment mandates using stolen banking details. Direct Assurance did not disclose technical details about the supplier's compromised systems, attack vectors, or detection timelines. The company's public response focused on victim notification and regulatory compliance rather than technical containment measures or forensic findings. This incident occurred amidst a series of high-profile data breaches affecting major French companies including Free, Auchan, and Picard, though no attribution or connection between these events was established in available reporting. The CNIL reiterated general warnings about financial fraud risks associated with IBAN exposure but did not issue Direct Assurance-specific recommendations based on publicly available information.