Telefónica, a Spain established telecom operator, has become victim of a security breach after hackers managed to exploit a vulnerability that led to the exposure of personal data and billing of millions of users, as reported by experts in enterprise data protection services.
Accessing the billing data is really easy for anyone because it simply enters the system and the bill is accessed after modifying the URL. Exposed data include sensitive information such as addresses, names, mobile numbers, banks, billing records, call history, etc. The data is now available in CVS format for downloading.
Specialists in enterprise data protection services report that the security breach was identified thanks to the report of a user to FACUA, a civil organization of consumer rights in Spain, which has referred to this breach as the biggest of all security breaches in the history of telecommunications in the country.
FACUA has filed a complaint with the Spanish Data Protection Agency (AEPD), the department responsible for implementing the European Union’s General Data Protection Regulations (GDPR). According to the GDPR, Telefónica could receive a fine of up to €20M or request that it pay a fine equivalent to between 2 and 4% of its annual revenues. It is worth mention that in Spain, the data protection law includes only fines of a range between €300K and €600K, but FACUA considers these amounts as “derisory” and they plan to appeal.
According to reports from experts in enterprise data protection services from the International Institute of Cyber Security, Telefónica spokespersons say that there has been no fraudulent access to customer information, yet the company informed the Competent authorities on the situation and has also solved the problem, so they expect to be dismissed the demands of FACUA.