Vodafone has confirmed that there has been a security breach within its severs, resulting in approximately two million customers having their personal and banks details exposed.
The carrier has said that the breach is restricted to its Vodafone subsidiary, and customers outside of Germany have not been affected.
Credit card, mobile phone and PIN numbers were reportedly not accessed by the perpetrator, and that the company has already identified the person it believes to be behind the attack — which would appear to be an insider amongst the company.
Vodafone had held back on contacting its customers about the attack after advice from the Police, with the company now beginning to contact the customers who have been affected.
Vodafone Germany response to security incident
Vodafone Germany announces that it has recently been subject to a highly sophisticated and illegal intrusion into one of its servers in Germany, which has resulted in the theft of a limited amount of German customer data. This criminal attack appears to have been executed by an individual working inside Vodafone. An individual has been identified by the police and their assets have been seized.
Vodafone has contacted all individuals affected and is providing all support necessary to minimise the risk of identity theft. The incident only affects those individuals who have been contacted by Vodafone Germany. No other Vodafone market is affected.
The criminals responsible have gained access to the names, addresses, birth date, gender, bank sort code and bank account numbers of approximately 2 million applications from individuals seeking to sign up with Vodafone Germany. Importantly, the criminals have not gained access to any credit card details, mobile phone numbers, passwords or PIN numbers. They have also not gained access to any personal call information or browsing data.
We have instructed independent security experts to advise on the potential implications for the individuals affected so we can offer them advice and take the best action to help them. In the absence of passwords, PINs or credit card details it is very unlikely that criminals would gain direct access to an individual’s bank account. However, there is a heightened risk that the criminals may request a fake direct debit application which would be immediately visible to the account holder and which could be immediately blocked or reversed under well-established banking protection measures.
There is also a heightened risk that customers could be the victim of a ‘phishing’ attack under which criminals use personal information in a fake email to trick people into supplying further information online such as passwords or credit card numbers.
We recommend that customers remain vigilant when asked for their personal information from an unknown party, be wary of any emails, calls or texts which warn of account problems, and ensure they regularly check for unauthorised direct debits from their bank account. We have also made arrangements for individuals to use an independent fraud protection service at no cost to them.
As soon as we discovered the incident we took all necessary steps to stop the attack, minimise any adverse impact for our customers and notify all relevant German authorities. We were immediately told by the authorities that we must not disclose any details publicly to avoid compromising the active law enforcement investigation. As the first phase of that investigation has now concluded, we are now contacting all those individuals affected in cooperation with the authorities.
We are sending our sincere apologies to everyone affected for any disruption caused. The privacy of our customers and security of their data is our highest priority: Vodafone Germany has world-class security systems which are constantly updated and upgraded to block new emerging threats. However, this attack was highly complex and conducted with inside knowledge of our most secure internal systems.
Concerned customers should visit: Vodafone.de/kundeninformation