[BreachExchange] Millions of Telefonica customers’ data exposed after security breach
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Jul 17 18:55:00 EDT 2018
https://www.hackread.com/spanish-telecom-firm-telefonica-suffers-massive-
security-breach/
Telefonica, a telecom operator based in Spain, has become a victim of a
security breach after hackers managed to exploit a vulnerability that led
to the exposure of private data of millions of Telefonica customers while
leaking billing data of other customers.
The billing data is easily accessible by the general public simply by
logging in to the system and accessing the invoice after modifying the URL.
The exposed data includes critical sensitive data including mobile and
landline numbers, residential addresses, national ID numbers, names, banks,
billing records and call history, etc. The data is now available in CVS
format for downloading.
As per the report from El Espanol, this attack is quite similar to the July
2017 attack on Spain’s systems that resulted in exposing personal data of a
large number of consumers to cybercriminals and other users. Moreover, El
Espanol noted that although the cybercriminals have chosen to access random
data it was quite possible for them to design a dedicated program for
collecting a massive amount of information from the operator’s systems.
The security breach was identified after a report from Movistar customer to
the FACUA, a consumer rights group in Spain, which has referred to this
breach as the biggest of all security breaches in the telecom history of
Spain.
FACUA has filed a complaint with the AEPD (Spanish Agency for Data
Protection), which is a department responsible for implementing the newly
devised GDPR rules of the EU. Under GDPR, Telefonica might be fined for up
to €20m or asked to submit 2 to 4% of its annual turnover. It is worth
noting that in Spain, the data protection law restricts the fines between a
range of €300,000 and €600,000 but FACUA is unhappy with this decision and
called it utterly “ridiculous”.
According to Telefonica, there hasn’t been any fraudulent access but the
company has already informed “competent authorities” about the security
breach and has managed to fix the flaw too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180717/45be688e/attachment.html>
More information about the BreachExchange
mailing list