A few days ago, we discovered that the internal security of our offices in Roubaix had been compromised. After internal investigations we found that a hacker was able to gain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system admins who deals with the internal backoffice.
Internal security was based on 2 levels of verification:
- The requirement to be in the office or use the VPN, i.e.: the IP source
- The personal password
After this hack, we changed the internal security rules immediately:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- The staffs hardware token (YubiKey)
During the internal investigation into the security incident, we have discovered that hackers have probably gained privileged access for two actions:
- Recover the database of our customers in Europe
- Gain access to the installation server system in Quebec
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is based on SHA512, i.e.: it is very strong. It takes a lot of technical know-how to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining the security incident and inviting them to change their password. Information on credit cards have not been consulted or copied. Today we do not store this on our infrastructure.
On the Quebec server system installation, the risk we have identified is that if the client had not withdrawn our SSH server key, the hacker could connect from your system and retrieve the password stored in the .p file. The SSH key is not usable from another server, only our Quebec backoffice . Therefore, where the client has not removed our SSH key and has not changed their root password, we immediately changed the password of the servers in the BHS DC to cancel this risk there. An email will be sent with the new password today. The SSH key will now be systematically erased at the server delivery end in Quebec as well as in Europe. If the client needs OVH for support, a new SSH key will need to be reinstalled.
Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific ndividuals will have no impact on our databases. In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.
We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions.
We apologise for the incident. Thank you for your understanding.