Status: 30.09.2023, 19:38 p.m.
By: Michelle Mantey
CommentsShare
Investigative team finds data leak at Vodafone. Personal files have been inadequately protected. Some of this information can be viewed unencrypted.
Essen – In order to conclude a mobile phone contract, contract providers often require personal data such as bank details, an identity card with name, address and date of birth. If this data falls into the wrong hands, strangers could conclude contracts, make purchases or even open bank accounts. Again and again it happens that personal information ends up in the hands of fraudsters due to data leaks at various companies.
A massive data leak has now been uncovered by the investigative journalists from Correctiv at Vodafone: Passwords, customer numbers and copies of identity cards and credit cards are said to be accessible. This is information from the mobile phone provider's internal system, but it should be accessible unencrypted. Free access to this data should not only be granted to the Group's employees, but also to partner agencies and specialist dealers.
Investigative team uncovers data leak at Vodafone. ID cards, credit cards and passwords can be viewed. (Symbolic image) © Michael Gstettenbauer/IMAGO
This sensitive data may be affected by the data leak at Vodafone
During their research, the investigative journalists found out that personal data can be viewed by querying the Vodafone system – without any double authentication. Frequently, the passwords of the customers were also visible. Outside Vodafone's internal core system, the following data was discovered in unencrypted folders:
- Copies of identity cards (front and back)
- Copies of bank cards (front and back)
- Contract Details
- Account numbers and bank details
- Individual mobile phone identifier (IMEI data)
- Addresses
- Birthdays
- Telephone numbers
But how does this data leak come about? In order to increase the number of contracts concluded and sales figures, not only Vodafone employees sell the contracts, but also agencies and specialist dealers. For this, they receive a commission from Vodafone, as well as advertising subsidies. In order to simplify the conclusion of the contract for the Vodafone partners, the dealers and agencies should also have access to data of the mobile phone company, according to the investigative team.
If customers have concluded a contract there, the Vodafone partners are to forward customer data to the group. There, the data is then encrypted and sent to the partner agencies and dealers. But the data leak is said to have come about due to the type of storage at Vodafone's partners: Some files are stored on sticks, in Google cloud systems or insecurely on site. After the data has been transmitted to Vodafone, a lot of customer data is not deleted, according to a report by Correctiv.
0
Also Read
Ban on microplastics in the EU: This will change for consumers from October
READ
Creamy, fast, delicious: foolproof soft cheese recipes for autumn and winter
READ
Silent danger from the tap: Watch out for these warning signs when drinking tap water
READ
"Then I'll be excluded at the age of 70" – outrage over EU driving licence plan for pensioners
READ
German pension insurance warns seniors: another new scam in circulation
READ
Fancy a voyage of discovery?
My Area
What can customers do if they are affected by the Vodafone data leak?
It was not until June 2023 that there was a hacker attack, according to a report by the online platform Chip. The data, such as e-mail address and passwords of some Vodafone customers, were copied. The affected persons have already been informed by Vodafone about the cyber attack.
To determine whether customers are affected by a data breach, they should consider the following:
- Check account activity regularly
- Keep an eye on credit card payments
- Renew passwords regularly (at least 8 characters, with uppercase and lowercase letters, numbers, and special characters)
- Request credit bureau information and, if necessary, report incorrect entries
- Be careful when revealing your own data. Only provide data that is necessary for the conclusion of a contract
- Source: Consumer Protection Centre
Vodafone had already parted ways with some partners in 2021 due to the data leak
If a misuse of data is detected, a criminal complaint can be filed with the police. Vodafone is also aware of the data protection leak from 2021 and the group has already filed criminal charges against some agencies and dealers and ended its cooperation with 63 of these partners. However, according to the correctiv, this leak still exists.
Although the Group has established a secure TAN procedure for data security, it can be switched off in individual cases. Double authentication can often be circumvented by employees. According to the Federal Commissioner for Data Protection and Freedom of Information (BfDI), there is already a current procedure. Further details are not yet known.
There are also certain privacy policies when it comes to parking. A camera records license plates and checks how long the respective cars are parked there. But is this recording allowed? (Mima
)