Spain’s Telefonica, one of the largest telecommunications providers, delivering services to over 20 countries has experienced a security breach potentially leaking millions of its customers personal and financial information.

A customer of Movistar, a telecoms brand owned by Telefonica and operating in Spain and Hispanic American countries, reported the breach to a Spanish consumer rights group (FACUA). Subsequently, the group made the breach publicly known and informed the Spanish Agency for Data Protection (AEPD) of the incident. Movistar has 22 million customers of landline, broadband and pay television services.

FACUA notified Telefonica of the breach on Sunday and Telefonica patched the flaw on Monday.

How it happened

A user of Movistar discovered the flaw while using the customer portal.

The flaw in Telefonica’s system allowed anybody to access the billing information of other customers. To do this, all the user needed to do was log in to the system, access his invoice and manipulate the URL.  Resulting in unauthorised access to a spreadsheet of unencrypted customer information that included landline and mobile phone numbers, national ID numbers, customer names, physical addresses, bank names, billing history as well as phone records and other call data. Furthermore, all the information was easily downloadable as a CSV Excel spreadsheet. As long as the user was logged in, the information was accessible. All unencrypted!

The design flaw in the Movistar online customer portal could have been used for mass harvesting of user information as the data was not encrypted and easily accessible to anyone with very little technical know-how.

Telefonica has spoken out about the incident and has said that no fraudulent access has been detected and that it has informed the authorities of the security breach.

FACUA commented that the incident is the greatest security breach in the history of telecommunications in Spain.

The consequences of not protecting customer information

Under the EU GDPR Telefonica could face a substantial fine. Spain’s AEDP is responsible for enforcing the GDPR and imposing a possible fine of between €10 and €20 million or 2% to 4% of its annual turnover.

As the breach occurred under the new regulation Telefonica must comply with the GDPR’s demands. If Telefonica had encrypted its customer data the outcome would have been very different. There would have been no data breach to report as the data would not have been accessible or usable to any unauthorised individual.

Instead, Telefonica has an enduring process ahead of them which is likely to culminate in a substantial penalty to pay and post-breach damage.

As the extent of the breach is not yet known, its scope will need to be investigated to realise the impacts. Telefonica believes that the vulnerability has not been exploited and, so far, no evidence of exposure has been uncovered. Time will tell.

It goes to show that even a common software flaw that goes unnoticed, such as the one in the Telefonica’s system, can result in damaging consequences if the data is not protected. Anyone is at risk of a data breach, even major organisations with all the resources available to them.

That said, data breaches are easily preventable by taking measures to protect the data.