Telefonica Security Hole Reveals Personal Data About Mobile Customers
What could this mean for Telefonica?
Telefonica, the huge global communications company that owns O2 in the UK, is the latest to admit that it’s been harbouring a security problem on a Spanish website.
The problem appears to have affected customers of its mobile phone brand, Movistar. But fortunately for Telefonica, it looks like Spanish data protection law will protect it from the full force of the GDPR’s fines for sloppy data security.
Customer Names, Call Lists, and More
A Mobistar customer found the security hole when viewing their account details. They realised that they could easily access other customers’ account details by changing the invoice number.
In theory, millions of accounts could have been exposed by this rather simple security hole in the invoicing system.
FACUA, a Spanish consumer organisation, reported the Mobistar security hole to Telefonica on 15th July, and to the Spanish Agency for Data Protection (AEPD) the following day. Movistar’s website was reportedly altered on Monday morning to restrict access to invoice data.
Security problems like this are not difficult to exploit, and can be a honeypot for hackers. The issue is that the URL points directly to the information about a person; there’s no security check in place.
If the system were properly designed, there would be an additional layer of security to check that the person requesting the details had the right permissions.
This is eerily similar to the flaw in Thomas Cook’s booking system, where a change to the URL revealed the details of passengers on flights.
In theory, the Movistar security glitch could be exploited by a brute force script to reveal thousands of records at once. This would have generated a rather juicy (and valuable) list of names, ID numbers, addresses, landline and mobile numbers, and call lists.
But even if that never happened, it’s alarming that security analysts say that customer information was not encrypted. Like Thomas Cook, Telefonica claims that hackers never took advantage of the flaw. But it could have been very different.
The Limitations of GDPR
Thomas Cook appear to have decided that their security breach was no big deal.
In the case of Telefonica and Mobistar, it looks like they will notify customers, but Spanish law may protect them from the worst effects.
Spain has its own data protection limits that curb the fines companies receive. Under the GDPR, a company could be fined up to 4% of their annual turnover, or €20 million. (Telefonica turned over €779 million in 2017.)
However, under Spanish law, businesses can only be fined €600,000 for this kind of breach. And that’s just the “most serious” cases.
FACUA says that the security hole is the “biggest in the history of telecommunications in Spain”, and that the Spanish limit on fines is “ridiculous”. Even if Telefonica dodges an expensive fine, we’d still hope that it plough more money into testing to prevent this happening again.