Forgot your password?
typodupeerror
Businesses Communications Privacy Your Rights Online

Insider Steals Data of 2 Million Vodafone Germany Customers 40

Posted by timothy
from the your-information-is-very-important-to-us-please-hold dept.
wiredmikey writes "Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany. 'This criminal attack appears to have been executed by an individual working inside Vodafone,' the company said in a statement provided to SecurityWeek. 'An individual has been identified by the police and their assets have been seized.' The company said the attack was discovered on September 5, but said authorities had requested that the breach remained under wraps while an investigation was conducted. The data accessed by the attacker includes customer names, addresses, gender, birth dates, bank account numbers and bank sort codes, the telecommunications giant said. Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed, and no personal call information or browsing data was accessed."
This discussion has been archived. No new comments can be posted.

Insider Steals Data of 2 Million Vodafone Germany Customers

Comments Filter:
  • by Anonymous Coward

    commencing.

  • by Anonymous Coward

    Vodafone have a group license for Symantec DLP - once again shown to be useless in the face of a determined data thief!

  • by Anonymous Coward

    Had it been the NSA stealing the data there wouldn't have been a problem nor arrests.

  • by Skiron (735617) on Thursday September 12, 2013 @11:44AM (#44830915) Homepage
    Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed, and no personal call information or browsing data was accessed."

    So, a simple statement that shoots one in the foot. They do save what users get up to on the web.
    • They've simply mentioned it en passant, you're not supposed to notice, let alone complain about it.
    • Please mod this up; it's important that people notice this detail.

      Also interesting to note that they appear to be playing down the fact that the information required to withdraw money directly from a bank account or set up automatic payments was compromised. It doesn't really matter if your credit card was stolen when the account that the card gets paid off from is in the hands of the attackers. They can easily apply for NEW cards with this information.

      • by aix tom (902140)

        Well to actually *withdraw* money they would either need my ID card (if they try to get it out of a human teller that doesn't know me personally) or my cash card and pin number (to get it at an ATM), too.

        To set up automated payments they would either also convince a human teller that they are me, or log into an on-line banking account with the login credentials the don't have.

        To apply for new cards the same thing.

        They *could* of course pull money out of my account via direct debit, but then I would have 6 w

        • If they've got your name, address, bank account number and sort code, they can write a check or automated payment in your name. They MAY need your mother's maiden name as well as your DOB as verification, so you may be protected via them not having the maiden name. But that's not too difficult to find when armed with the rest of that info.

          I've never seen bank account and sort code printed in business letterhead; that move seems awfully risky. There's a reason banks recommend you not put your full name an

          • by WoOS (28173)

            they can write a check or automated payment in your name.

            No cheques anymore in Germany (and the rest of Europe) for decades. We use bank transfers for which you either need login credetials for the internet access to the account or a somewhat similar looking signature for a written transfer form. And a scapegoat whose account you can use as the target account. So the GP is right. Not enough information to withdraw money or transfer it. Maybe the US is a bit behind in this ;-)

          • by qaz123 (2841887)
            It's impossible in Europe to withdraw money from your account only knowing "name, address, bank account number and sort code".
    • [... ] or browsing data was accessed

      My guess is that they're talking about proxy servers here, which isn't too uncommon for ISPs.

    • Who cares about credit card numbers? That's a problem for the credit card companies. Losing my bank account numbers and bank sort codes would effect me.
  • The new euphemism for handed over by "request".

  • by return 42 (459012)

    Somebody grabbed tons of personal data and it wasn't the NSA? Stop the presses!

  • by Skapare (16644) on Thursday September 12, 2013 @12:10PM (#44831215) Homepage

    ... most businesses will accept this information as if it came from the original person, without really checking who it is coming from. And thus identity theft works ... not because the identity is taken, but because these businesses assume identity equals authorization.

  • They have an online form where you can check if your data was in the compromised lot. It requires to enter your bank- details...

    That's so ..... fishy

  • by gweihir (88907) on Thursday September 12, 2013 @12:53PM (#44831751)

    From what I hear from an insider, with the near-catastrophic state that Vodafone IT is in, getting this much data out is quite a feat.

    That may also be how the caught him: Even more catastrophically bad response times ;-)

  • Insider Steals Data of 2 Million Vodafone Germany Customers

    Walking out with that many people without getting noticed would've been quite a feat.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...