Telefonica- A Spanish Operator and one of the world’s largest telecommunication providers recently suffered a security breach that led to the exposure of personal data of millions of customers.
The alleged breach came to light after a Movistar (A major telecommunication brand owned by Telefonica) user discovered the vulnerability and reported the same to FACUA- a non- profit, non- government organization that works for customer Rights Protection.
Loopholes in the design of Movistar online customer portal allowed any person with a Movistar account to view personal information of any other user. Movstar’s invoice web page url contained an alpha numeric ID. Modifying this ID could lead to the access of the billing data of other customers. As the invoice holds personal details as well, access to the bill led to the exposure of personal data of millions of customers including:
Telefonica breach involved accessing users’ data arbitrarily without involving high level of technical expertise. However, the vulnerability could have been utilized to design a program to collect information of numerous customers from the operator’s system and then analyze it.
After the vulnerability was discovered and reported to FACUA- a Spanish consumer forum, the organization filed a complaint with the Spanish Agency for Data Protection (AEPD).
The Spanish Data Protection Agency is a government organization responsible for users’ personal data protection. AEDP is also responsible for enforcing EU’s newly introduced GDPR rules.
As per new data protection regulation GDPR, the fine for non- compliance of data protection regulations or data breach would be up to 4 percent of company’s Global annual turnover or 20 million Euros ($23.5 million) — whichever amount is larger.
However, as per Spain’s data protection law these fines are limited to between €300,000 and €600,000 which is comparatively less. FACUA has therefore called on the Spanish government to update the regulation.
Telefonica has updated all the competent authorities about the breach and alleged that no fraudulent access has been detected so far.
Hits: 92
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.