Spanish telecommunications provider Telefonica has suffered a breach that exposed the personal data and financial information of millions of users of its Movistar landline, broadband and pay television service.
Telefonica has operations in Europe, Asia, and North, Central and South America.
The breach became public after one of Movistar's users reported it to FACUA, a Spanish non-profit specialised in consumer rights protections, reported El Espanol.
According to FACUA, anyone with a Movistar account could view other users' personal data. Users needed only to be logged into the system, access their invoice and make a tiny change in the URL. Once done, the personal data of millions of Telefonica users - including ID numbers, addresses, billing history and phone numbers - could be viewed by anyone.
Bad design
The breach was possible because of the way the Movistar online customer portal was designed. The page where customers could view Movistar invoices embedded the invoice alpha-numerical ID inside the account URL. Modifying this ID would grant the user access to other users' account data, which could be used for mass data harvesting.
FACUA has subsequently filed a complaint against Telefonica Spain and Telefonica Mobile with the Spanish Agency for Data Protection (AEPD), the body tasked with enforcing the new GDPR data protection rules.
Under the new GDPR rules, Telefonica could be fined between 10 million and 20 million euros, or an amount equal to between 2% and 4% of its annual turnover.
A fine is not warranted
Ilia Kolochenko, CEO of Web security company High-Tech Bridge, says: "As per currently availa-ble information, I wouldn't call the incident a 'data breach'. So far, there is no certain evidence that the improper access control, discovered on the customer portal, was maliciously exploited and led to any theft."
He adds that these vulnerabilities are more common than one might think. "Similar vulnerabilities can be found on virtually every large Web site with functionality such as a customer portal. They are barely detectable with automated Web vulnerability scanning solutions that are widely used by companies as a means to assess the security of their Web applications."
In his view, the current circumstances don't warrant a financial penalty to be imposed on Tele-fonica under GDPR. "Otherwise, 99% of companies that face the same insurmountable difficulties in running their daily business will just stop operations. However, some additional attention to Web application security will definitely be an appropriate measure for Telefonica to detect other vulnerabilities that may exist."
Share