CMA CGM latest service provider to be attacked!
French shipping giant CMA CGM is the latest service provider to be hit by a cyberattack targeting customer information. Confusion reigned among the customers of the French carrier as hackers wrote to media organisations claiming to have accessed customer data – but many of the line’s customers had not heard of the attack.
Moreover, the carrier has told some customers there has been no cyberattack and that no customer information had been stolen.
The hackers claimed to have stolen the data for up to half a million of the carrier’s customers, with the online attackers threatening to release the entire database within a week.
In what would be a second attack on the carrier within a year, CMA CGM acknowledged that hackers had managed to access its database, but said it believes that it has ‘patched’ the problem, according to a report in The Loadstar.
A CMA CGM statement said: “A leak of data on limited customer information (first and last names, employer, position, email address and phone number) has been detected during surveillance operations on the group’s APIs. The IT teams have immediately developed and installed security patches, and surveillance of all our APIs has been strengthened.
“Our customers have been informed and they have been invited to strengthen the level of security to access their accounts while remaining vigilant to any suspicious activity.”
Customers confirmed that they had had no communications from the carrier about an attack, and indeed, there is no prominent posting on the carrier’s websites and no social media platforms.
Global Shippers’ Forum director James Hookham pointed out that if there has been a second attack on CMA CGM, following last year’s event, and it involves personally identifiable data, it will be covered by EU General Data Protection Regulation (GDPR) rules, and thus “needs to be reported to the French data protection authority”.
Moreover, this attack would be “the second time in 12 months” that such a breach had occurred, “so French data protection authorities will have some tough questions – and are answerable themselves as to the adequacy of their oversight”.
Mr Hookham was also concerned that if the entire database is posted onto the web, what else might be revealed about each customer including their booked volumes, contract rates, booking schedules, payment terms and bank accounts, all commercially sensitive information.
“This could get very serious and potentially actionable. Customers need more information about which users are affected, what is being done to retrieve the data, and reassurances about consequential losses incurred,” said Mr Hookham.
He added: “If the shipping industry is serious about its digital future it needs to first get serious about protecting its customers’ data!”
Mr Hookham believed that, given the carrier has claimed its systems were “patched up instantly”, that it does not seem to be a particularly sophisticated attack. This in itself “raises more questions about adequacy of data protection standards”.