EXECUTIVE SUMMARY:

Telefonica has reported that a security breach has potentially exposed the data of millions of its customers. Although based in Spain, Telefonica offers services in more than 20 countries. Victims of the breach appear to be Spanish customers of Telefonica’s Movistar landline, broadband, and pay television service.

The Inquirer reports that the incident has been described as “the greatest breach in the history of telecommunications in Spain.”  In order to access any customer data, all that was needed was a small change in the URL of a customer who was already logged in to view their own invoice. Essentially, anyone with a Movistar account could have access to another customer’s data. The breach was discovered and reported to FACUA, a Spanish consumer-rights non-profit, by a Movistar user.

According to Infosecurity, the data exposed in the breach included customers’ fixed-line and mobile numbers, their full names, national ID numbers, home addresses, banks and call and data records. Infosecurity also notes that end-to-end encryption could have been utilized to prevent this issue entirely.

Telefonica says that they have fixed the issue.

New GDPR laws mean that Telefonica may face a fine of between 2 percent and 4 percent of its annual turnover, or between 10 and 20 million euros.

Get the full story at Bleeping Computer.