• The website glitch exposed the online invoices of customers issued since August 2017.
  • The exposed customer invoices were easily downloadable as an unencrypted spreadsheet.

Spanish telecom giant Telefonica suffered a major security breach this week exposing the complete personal data of millions of customers. A customer of the firm's Movistar landline, broadband and pay television service reported the issue to Spanish consumer rights group FACUA.

The issue lied in Movistar's online customer portal wherein the page for viewing Movistar invoices actually embedded the invoice alpha-numerical ID within the online account URL, Bleeping Computer reports. Anyone with a Movistar account could then easily modify this ID to access the online invoices of any customer issued since August 2017 which included their account and billing data.

The information potentially exposed to hackers include customers' full names, landline and mobile numbers, national ID numbers, addresses, banks, records of calls and other data were exposed, El Espanol reported. The exposed Telefonica customer invoices were easily downloadable as an unecrypted spreadsheet.

FACUA has notified Telefonica of the issue that has since been addressed on Monday. Movistar is currently notifying customers of the breach.

GDPR fines

FACUA has filed a complaint with the Spanish Agency for Data Protection (AEPD) against Telefonica Spain and Telefonica Mobile over the incident, dubbing it the "greatest security breach in the history of telecommunications in Spain."

Spain's AEPD is in charge of enforcing EU's newly instated GDPR rules. Under the new strict data privacy regulation, Telefonica could have faced a hefty fine between €10 million and €20 million or the equivalent of 2% to 4% of its annual turnover - whichever is higher. However, Spain's data protection law limits these fines to between €300,000 and €600,000.

FACUA has slammed the reduced fines as "absolutely ridiculous" and is calling on the Spanish government to update the regulation arguing they are not proportional to the seriousness and severity of breaches and the number of people they affect.

Cyware Publisher