A cybersecurity firm confirmed the data leak of 20 million Vodafone Idea users, including its customers’ sensitive information, call records, and other personal data. CyberX9 shared its findings on Twitter, informing users about the leak, causing havoc among Vodafone Idea users who questioned the credibility and security of the telecom operator.
According to the security firm, personal data of Vodafone Idea (Vi) users, including data records for 20.6 million postpaid users, was leaked on the internet. The data was exposed for almost two years — making the leak more detrimental as several hacker groups could have downloaded the data that can be used to target Vi customers.
Vulnerabilities found in Vodafone Idea
⚠️New — CyberX9 research team found Vodafone Idea exposed sensitive and confidential call records and other personal data of ~301 million (30.1 crore) customers including all postpaid customers for the last ~2 yrs to the whole internet.
— CyberX9 (@CYBERxNINE) August 28, 2022
According to the security firm’s report, Vodafone Idea had multiple vulnerabilities in its system, which lead to data leak of around 20 million postpaid customers. The data revealed Vi users’ call records, duration of calls, the location from which the calls were initiated, and customers’ full names, addresses, and SMS details exchanged between the contacts.
The security firm founder and Managing Director, Himanshu Pathak, shared the vulnerability report with Vodafone Idea, and the telecom company acknowledged the report’s findings on August 24, 2022. Speaking to PTI, Pathak said, “Vi confirmed the receipt of our report. Vodafone Idea acknowledged the vulnerabilities discovered and reported by us on August 24, 2022.
Vodafone Idea denies data breach
However, Vodafone Idea denied any of the allegations reported by CyberX9.
Addressing the data breach allegations, Vodafone Idea said, “There is no data breach as alleged in the report. The report is false and malicious. Vi has a robust IT security framework to keep our customer data safe.
We regularly conduct checks and audits to strengthen our security framework further. We learned about a potential vulnerability in billing communication. This was immediately fixed, and a thorough forensic analysis was conducted to ascertain no data breach,” it said.
The telecom provider assured that all the users’ data was safe and secure as it had stopped any potential harm the billing vulnerability would have caused. The security company, however, stands on its claims that Vodafone Idea was exposing the data of millions of its customers, including information about their contacts and call records, which could have led to a bigger cyber-attack in the future.
Furthermore, the CyberX9 report stated several other factors and similar cases where government authorities fined companies. It exposed customers’ data, leading to penalties for improper, insufficient, and unorganized technical measures and loosely built cyber security practices. In the later half of the report, the security firm added an example of British Airways and Marriott, wherein the two companies received a fine of over $99,000,000 for GDPR violations.