SPANISH OPERATOR Telefonica has suffered a security breach that exposed the personal data of millions of customers.
The breach allowed anyone to access the billing data of other customers, according to a report at El Espanol, which noted that the incident is similar to a serious failure that hit Spain's system in July 2017 that left personal data accessible to intruders without a high level of technical skill.
To access the data of other customers, users only had to be logged into the system, access their invoice and make a small change in the URL, according to the report.
From here, anyone could access the personal data of "millions" of Telefonica customers, including landline and mobile numbers, national ID numbers, addresses, banks, names, billing history and records of calls and other data. All of these data could be downloaded in CSV format files.
"Although this involved accessing random data, it would have been possible to design a program that would collect information in large quantities from the operator's systems and then analyze it," El Espanol notes.
The breach came to light after a Movistar customer reported the screw-up to Spanish consumer rights group FACUA, which has since filed a complaint with the Spanish Agency for Data Protection (AEPD) and is calling the incident the "greatest security breach in the history of telecommunications in Spain."
Spain's AEDP is responsible for enforcing the EU's newly-introduced GDPR rules, under which Telefonica could face a fine between €10m and €20m, or 2 to 4 per cent of its annual turnover. However, Spain's data protection law limits these fines to between €300,000 and €600,000.
FACUA has slammed the reduced fines as "absolutely ridiculous" and is calling on the Spanish government to update the regulation.
Telefonica told El Espanol that "no fraudulent access has been detected " adding that it's made "all the competent authorities" aware of the breach. µ
Flagship fakes aim that the incoming Samsung Galaxy S10+
Don't expect to be surprised later today
Your phone call may be recorded for leaking purposes
But the company is yet to dish, officially