Hackers exploited a flaw at Spanish operator Telefonica early Monday and likely exposed all the personal data of millions of the company's customers.
Identity and payment information – including land line and mobile numbers, national ID numbers, addresses, banks, names and records of calls and other data – was exposed, although there is no evidence that any of the data was used in fraudulent activity, according to a report in Telecompaper, which cited El Espanol.
The company reportedly has fixed the flaw.
"Telefonica cannot at present ascertain the potential impact – that will take time to understand," said Pravin Kothari, founder and CEO of cloud security provider CipherCloud, who noted that Telefonica is a global top 10 telecom company reporting revenue of more than $53 billion. "Surprisingly, the Telefonica customer data was easily downloadable as an unencrypted spreadsheet."
According to Kothari, the "moral of the story" is that hackers "will get into any network sooner or later."
If Telefonica's data had been protected by end-to-end encryption "there would be no breach to report under GDPR,as stolen encrypted data would be unusable," he said. "Now that GDPR is in effect, the Telefonica customer notifications and follow-up must be done in a compliant and potentially expensive way."
The Telefonica breach, as well as others that occur in the EU, "now presents the risk of an unknown and potentially expensive GDPR audit," said Kothari.
In an email to SC Media UK Ilia Kolochenko, CEO, High-Tech Bridge commented: "As per currently available information, I would refrain from calling the incident a "data breach". So far, there is no certain evidence that the improper access control, discovered on the customer portal, was maliciously exploited and led to any PII theft. Moreover, such vulnerabilities are pretty common, and similar vulnerabilities can be found virtually on every large website with sophisticated functionality such as customer portal. They are hardly detectable with automated web vulnerability scanning solutions widely used by companies as a principal mean to assess security of their web applications.
"In light of the currently known circumstances, I don’t see any compelling reasons to impose a financial penalty upon Telefonica under GDRP. Otherwise, 99 percent of companies that face the same insurmountable difficulties in running their daily business will just stop operations. However, some additional attention to web application security will definitely be an appropriate measure for Telefonica to detect other vulnerabilities that may exist."