A malicious actor is claiming to have stolen a database containing customer data and employee access credentials from French insurance behemoth AXA. However, the Cybernews research team is skeptical that any of the attackers' claims are true.
-
A threat actor claims to possess Axa customer data and demands a two million euro crypto payment.
-
The alleged stolen database supposedly contains standard personally identifiable information including full names, addresses, emails, and banking details.
-
Experts warn that cybercriminals often post false data leak claims on forums to scam other users or brokers.
A post announcing a purported data breach at major global insurance player AXA was recently uploaded to a popular data leak forum. The attackers claim to have access to the axa.fr database, which includes personal customer details alongside employee access credentials.
“To prevent resale of this data, a payment of €2,000,000 in cryptocurrency is required. You have 30 days,” reads the attacker’s post, which was reshared on X numerous times over the last 24 hours.
Headquartered in Paris, AXA is a major multinational insurance corporation with reported revenues exceeding €87 billion ($120 billion) and a workforce of over 113,000. The company serves 9 million customers in France alone.
Meanwhile, Axa told Cybernews the company investigated attacker claims, concluding no customer or employee databases were accessed.
“After a prompt and thorough internal investigation, we found no evidence of a system breach, no compromise of customer data, and no unauthorized access to employee credentials. These claims seem to be baseless and part of a malicious extortion attempt,” the company told Cybernews.
“Protecting our customers' and employees' data remains a top priority. AXA employs robust cybersecurity measures, continuous monitoring, and strict access controls to prevent, detect, and respond to potential threats. We are continuing to monitor the situation.”
According to the attacker, the supposedly compromised details include:
- Full names
- Full addresses
- Emails
- Phone numbers
- Dates of birth
- IBANs
- Other data
The records the attacker claims to have obtained include standard personally identifiable information (PII), which malicious actors often exploit for fraud, identity theft, and various forms of phishing.
However, after investigating the attacker's claims, our team was doubtful that any of them were true. For one, the post's author appears to have low credibility on the data leak forum. Since numerous cybercrooks roam the forum, credibility serves as a currency of trustworthiness on the platform.
Another red flag is the lack of any data sample. Typically, attackers provide at least several lines of records that allow them to identify where the data came from and who its owner is. However, in some cases, cybercriminals avoid sharing information to attract a specific type of black-market data broker.
The post instructs users to contact the attacker over a personal Telegram account, which is not unheard of in the cybercriminal underworld. However, attackers may also attempt to lure fellow crooks to a place of their choosing, making it easier to scam the scammers.
Data leak forum users sometimes announce grandiose leaks that are impossible to look away from. In other cases, threat actors attempted to lure individuals by posting dubious-looking “data breaches” involving the analytic software maker SAS Institute and tech giant Dell.
Updated on February 19th [10:00 a.m. GMT] with a statement from Axa.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked