Telefonica, a telecom operator based in Spain, has become a victim of a security breach after hackers managed to exploit a vulnerability that led to the exposure of private data of millions of Telefonica customers while leaking billing data of other customers.
The billing data is easily accessible by the general public simply by logging in to the system and accessing the invoice after modifying the URL.
The exposed data includes critical sensitive data including mobile and landline numbers, residential addresses, national ID numbers, names, banks, billing records and call history, etc. The data is now available in CVS format for downloading.
As per the report from El Espanol, this attack is quite similar to the July 2017 attack on Spain’s systems that resulted in exposing personal data of a large number of consumers to cybercriminals and other users. Moreover, El Espanol noted that although the cybercriminals have chosen to access random data it was quite possible for them to design a dedicated program for collecting a massive amount of information from the operator’s systems.
The security breach was identified after a report from Movistar customer to the FACUA, a consumer rights group in Spain, which has referred to this breach as the biggest of all security breaches in the telecom history of Spain.
FACUA has filed a complaint with the AEPD (Spanish Agency for Data Protection), which is a department responsible for implementing the newly devised GDPR rules of the EU.
Under GDPR, Telefonica might be fined for up to €20m or asked to submit 2 to 4% of its annual turnover. It is worth noting that in Spain, the data protection law restricts the fines between a range of €300,000 and €600,000 but FACUA is unhappy with this decision and called it utterly “ridiculous”.
According to Telefonica, there hasn’t been any fraudulent access but the company has already informed “competent authorities” about the security breach and has managed to fix the flaw too.