General Data Protection Regulation (GDPR) , Incident & Breach Response , Security Operations

Telefónica Movistar Site Exposed Customer Billing Details

Consumer Group Says Basic Error Put Millions at Risk
Telefónica Movistar Site Exposed Customer Billing Details

A Spanish consumer rights organization says telecommunications company Telefónica has fixed an elementary security error in its Movistar website that potentially exposed billing invoices for millions of customers.

See Also: OnDemand Webinar | Utilizing SIEM and MDR for Maximum Protection

The consumer organization,, called the exposure the "biggest security breach in the history of telecommunications in Spain." The organization reported the flaw to Telefónica on Sunday, and it was fixed by Monday morning, Facua says.

The flaw was within Telefónica's Movistar website and allowed someone viewing an account invoice to increment the invoice number and view someone else's bill.

The data exposed includes names, addresses, email addresses, fixed and mobile numbers and call records, Facua says.

No Fraudulent Use

Efforts to reach Telefónica officals were not immediately successful on Tuesday. But customers did begin asking questions about the incident via Twitter to which Telefónica responded.

"We were notified of a vulnerability that was corrected immediately last night," according to a translation of a tweet from Movistar's Twitter account. "Until now, we have not detected any fraudulent access to customer information."

The type of vulnerability is known as insecure direct object reference, says Troy Hunt, an Australian security expert and creator of the Have I Been Pwned data breach notification service. "It's very well-known, very easily tested for and very easily exploited."

In 2013, the type of vulnerability ranked number four on the 10 most common web application vulnerabilities published by the Open Web Application Security Project (OWASP). Last year, OWASP revamped its top 10 and wrapped insecure direct object reference vulnerabilities into a catch-all category of broken access controls.

Insecure direct object reference flaws allow "attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks," OWASP says.

Biggest GDPR Notification So Far?

Facua says it filed a complaint on Monday with Spain's data protection authority, the Agencia Española de Protección de Datos.

Telefónica's incident comes about two months after the European Union's General Data Protection Regulation went into effect. Organizations that have a breach or exposed data are required to notify regulators and those affected within 72 hours.

Those found in breach of GDRP's rules could face fines up of up to 4 percent of their annual revenue or €20 million ($23 million), whichever is greater. Data protection authorities in member states enforce the regulations.

Facua contends, however, that Spanish law limits the fines that can be levied by the country's data protection authority to between €300,000 and €600,000. Facua calls the limits "absolutely ridiculous."

The fines "are not proportional to the seriousness of the irregularities and the number of people affected, which can amount to tens of millions of users," Facua contends.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.