The Spanish operator Telefonica has been the victim of a security breach. Hackers have been exploiting a vulnerability and exposed users’ private and confidential data as well as other customers’ billing data. The latter are easily accessible. They require you to log on to the system and access the invoice after changing the URL. The data displayed are nothing other than telephone numbers, residential addresses or national identification numbers. They have also been made available in CVS format for download.
According to the EI Espagnol report, this attack would be the same to the one of July 2017 on Spanish systems victim of a disclosure of users’ personal data. One of the customers, Movistar, who denounced this breach of security, submitted a report to the FACUA, a consumer rights group in Spain that filed a complaint with the AEPD (Spanish Data Protection Agency) also responsible for the application of the RGPD. This breach could therefore cost up to 20 million euros in fines or require the submission of 2 to 4% of its annual turnover. In response, Telefonica stated that no fraudulent access had been reported and that the breach had been corrected.
The implementation of the GDPR forces companies that digitize user data to make them more secure. Exploitable vulnerabilities quickly become vulnerabilities to secure customer privacy. Telecom operators need to be more involved in detecting cyber attacks by closely monitoring network activities and reporting suspicious information. Only, operators are not allowed to search their flows to detect attacks, they only have the right to protect their system in the flows they carry. It is for this reason that ANSSI has proposed a collaborative system with employees who will be able to trace attacks on their flows.