The famous saying often quoted by Group Chief Security Officer François-Xavier Vincent could easily apply to the cyber incident that the group experienced after the summer. Obviously, it’s easier to say after the event… We look back at what triggered the incident. And the lessons to be learned from it with the Group Chief Security Officer and Chief Communications Officer Olivier Beaunay.
On Sunday 20 August, François-Xavier Vincent received a personal message telling him that a group of hackers on the dark web, Stormous, was claiming to have targeted Econocom… The information soon went public on X (formerly Twitter). Econocom’s internal Security Operations Centre (SOC) was immediately informed and carried out the initial investigations. « That kind of alert is very common, and so we first needed to check that the information was genuine and better qualify the potential incident’s impact, » François-Xavier clarifies. In fact, the early information posted was quite old, suggesting a resurgence of the attack the group experienced in 2020…
The pressure was rising…
On Monday, a LeMagIT article gave the issue greater weight and our clients then started to contact us. Initial coordination began that same day, with the external incident response team activated to support the internal SOC. At that time, the group identified more of a reputational risk than a real technical incident. Yet the next day around noon, Stormous confirmed the hacking, stating that Econocom was refusing to speak to them and so was not taking its clients’ and employees’ data seriously! The pressure was rising… A crisis unit was formed[1] and met daily. The posting of more recent documents was then discovered. On Tuesday afternoon, certain leaked documents were identified on two Econocom sharing spaces within the Services Division France. The Division’s ISSM Stéphane Pouvil was then contacted, and the crisis management mechanism fully triggered at both group and business line level.
Stormous, not enormous…
What happened next was shared in both internal and external media releases published throughout the incident and up to its resolution. In three days, investigations found that the leak came from a service provider — which was immediately restricted — and confirmed that, despite an alert on one of the group’s servers, Econocom’s systems and databases had not been compromised. In short, the impact seemed very limited. In terms of perception, however, this was a ‘crisis’ and therefore we needed to manage simultaneously the technical investigations and communications, aimed in particular at clients and the media. The incident entered its resolution phase the following Thursday and was officially closed on Wednesday 6, to be replaced by the remediation phase that is now ongoing.
Lessons learned
« Not too early not too late, not too much not too little »
What lessons can we take away from this incident? Numerous avenues for improvement are naturally being explored, which will be detailed at the appropriate time in a masterplan to further strengthen the group’s security. The incident nevertheless confirmed the importance of communicating well, and as soon as the source of the alert becomes public. « Not too early not too late, not too much not too little, » summarizes Chief Communications Officer Olivier Beaunay. That pragmatic approach also emphasizes the need to target key media whilst avoiding wasting energy.
It was François-Xavier Vincent’s interview with LeMagIT that won over the main media source on the incident, which along with others — and this is unusual enough to be worth mentioning — would praise the group’s transparency and responsiveness… As for social media, it was deliberately sidelined. Olivier clarifies: « In a crisis situation, you only intervene in two scenarios: when there are factual errors, and when the posts have significant viral potential. » There is no point bolstering with our interventions accounts that represent only a small community…
« We did OK…, » François-Xavier starts, « …and you always need a bit of luck! » Olivier finishes. But François-Xavier stresses, « that also highlights the need for clear processes, for both the crisis management and the communications with account managers and security managers as well as our clients. The overall success of our crisis management drew heavily on the fact that the people involved had tried-and-tested experience of that type of situation. We need to take that essential step towards more formal processes that everyone understands, in line with our ambition as a major group. »
From resilience to anti-fragility
That is why we never let a good crisis go to waste… And we need to avoid overfocusing on everyday matters by taking the necessary time to learn all the lessons from what might look like a near-crisis, or even a full-scale exercise if compared to the previous one in 2020.
The aim: developing an effective shared security culture in all areas: people, processes and technologies. « It’s not the security team alone that provides security, it’s everyone, with professional day-to-day practices that build trust and resilience, » François-Xavier concludes. Olivier adds: « We could even try, like Nassim Nicholas Taleb[2] suggests, moving from resilience, which makes it possible to recover from an initial shock, to anti-fragility, which makes it possible to emerge even stronger! »
[1] This unit comprised: François-Xavier Vincent and Anne Lupfer for cybersecurity, Olivier Beaunay and Marion Courtot for communications, Sébastien Lesimple for the information system, Antoinette Roche for legal affairs and Danièle Lefur for data protection. The unit worked in cooperation with the Board, the technical investigation unit as well as with the network of IT security managers, the markoms group and The Arcane agency to liaise with the business lines, countries and media.
[2] Essayist, statistician and financial mathematics specialist. He is the author of Le Cygne noir : la puissance de l’imprévisible and Antifragile. Les bienfaits du désordre.
