Auchan discloses data breach: data of hundreds of thousands of customers exposed

French retailer Auchan suffered a data breach impacting hundreds of thousands of customers, with personal information stolen.

French retailer Auchan suffered a data breach that impacted hundreds of thousands of customers, resulting in the theft of personal information.

The company has already notified the impacted customers.

Threat actors stole customers’ personal data linked to their loyalty cards, including title, surname, first name, address, telephone number, email address, and card number. The data breach did not expose bank details, passwords, and PINs.

“We are writing to inform you that Auchan was a victim of a cyberattack. This attack led to unauthorized access to certain personal data associated with your loyalty account: civility, professional client status, last name, first name, email and postal addresses, phone number, and loyalty card number. Your bank data, password, and PIN are not concerned.” reads the data breach notification sent to the impacted customers. “The protection of our clients’ data is at the heart of our priorities, and we are treating this incident with the utmost rigor. All necessary measures were taken immediately to stop this attack and reinforce the protection of our information systems. In parallel, we have notified the National Commission for Information Technology and Liberties (CNIL).”

In response to the incident, the retail giant has deactivated the cards of the impacted individuals. Customers must visit stores for new cards to restore Waaoh savings, highlighting the breach’s seriousness. The company did not reveal technical details about the attack.

“Internal communications are attempting to reassure: no banking data, passwords, or PINs would be affected. But behind this assertion lies a more complex reality.” reported the media outlet Zataz. “The scope of the intrusion affects the customer’s identity and their complete profile, opening the way to multiple malicious uses: spoofing, phishing, and illegal commercial targeting.”

Auchan notified the French data protection watchdog CNIL, stressing a rigorous response with immediate measures. Details on the intrusion remain undisclosed, raising doubts about whether it’s isolated or tied to broader breaches like the November 2024 incident. ZATAZ states that the attack came via a partner. The local media pointed out that the loyalty card deactivation and in-store reissue highlight the sensitivity of such “peripheral” systems.

Auchan advises customers to stay alert against phishing attempts via email, SMS, or phone calls. The company stresses it will never request credentials, passwords, or loyalty card PINs through these channels. Suspicious messages should be ignored: don’t click links, don’t call listed numbers, and don’t trust their content. In case of doubt or unusual activity, Auchan recommends contacting the official French cyber victim assistance service at www.cybermalveillance.gouv.fr to report incidents and protect your rights.

This marks Auchan’s second disclosed data breach in a year, with the latest notice resembling the one sent to customers in November 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)