A Security Vulnerability Left Personal Data of 'Millions' of Telefonica Customers Exposed

On May 12, 2017, an unprecedented ransomware outbreak infected thousands of computers all around the world and wreaked havoc of unseen proportions. The infamous WannaCry strain hit both regular users and large organizations, causing substantial financial damage. Telefonica, a multi-national telecommunications provider headquartered in Spain, was among the biggest WannaCry victims. Fourteen months later, WannaCry is behind them, and they have another cybersecurity issue to worry about. It's a big one. Apparently, Telefonica inadvertently left the personal data of millions of Spanish customers exposed.

In Spain, Telefonica operates under its Movistar brand and is reportedly the country's largest mobile phone operator while also offering landline, broadband, and paid TV services. Like all good service providers, it has a website where clients can log in, activate or de-activate features and services, monitor usage, and review invoices. Somebody was apparently reviewing their invoice when they noticed a massive problem.

On Monday, Telefonica patched it, and shortly after, FACUA, a Spanish non-government organization specializing in protecting consumer rights, announced the details. While reviewing an invoice, a customer could see a short alphanumeric code in the URL that is identical to the invoice number. If you were to change the code in the URL for another valid invoice number, the system would display the said invoice, regardless of whether or not it belonged to you. In other words, being logged in meant that you could spend hours browsing through Movistar invoices that had been issued to random people.

As you might imagine, an invoice contains plenty of personal information, including names, email and billing addresses, phone numbers, call records, national ID numbers, etc. Because of this, FACUA went as far as calling the issue "the biggest security breach in the history of Spanish telecommunications." We're not sure if this is a terribly accurate description.

The biggest security breach in the history of Spanish telecommunications or a website vulnerability?

Telefonica's people are still investigating, but for now, nobody has found any evidence of cybercrooks exploiting the vulnerability and stealing users' data. If it turns out that data has been exfiltrated, then we can indeed speak of a breach. Until then, we have an online system that had a big security hole in it.

Movistar's website was vulnerable to an attack called resource enumeration. Resource enumeration, in a nutshell, means using the URL of a resource (in this case, an invoice) you can see to guess the URL of a resource you're not supposed to see. Needless to say, the attack can be automated and is relatively easy to pull off. We're hoping that the logs don't reveal any evidence of exploitation.

Wording is important, but customer data is more important

Telefonica is in trouble and rightly so. They said that they are investigating what caused the issue, but by the looks of things, it seems to be rooted in bad design, which isn't really very good when you're handling the data of tens of millions of people.

Bear in mind that Movistar operates in the European Union which means that GDPR regulations apply. And this means that the telecommunication giant could be facing tens of millions in fines. The country's data protection agencies are also looking into the matter and will probably have a few of their own things to say.

While you leave other people to worry about all this, you can do little more than stop and think about how many organizations like Telefonica you've entrusted with your data. You can also think about how many will fail you just like the Spanish telco did.