Security experts are warning Vodafone customers, particularly those in Germany, of a possible increase in phishing attacks after an insider at the telecommunications giant accessed a database and stole personal information on as many as two million customers.
German police have a suspect, adding that customer names, addresses, birth dates and bank account numbers among other types of personal data were accessed, Vodafone Germany said. The company said customer credit card numbers, passwords, PINs and mobile phone numbers were not stolen.
“This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company,” Vodafone told the BBC.
Vodafone delayed disclosing the breach in order to give authorities time to investigate, it said. A German news agency said the suspect was not a Vodafone employee, but a contractor. The company added it is in the process of informing customers of the breach and the implications may be.
Authorities have not been clear on how long the contractor had access to the database and whether any customer data had been sold or used as of yet. Given the nature of what was taken, it’s likely the data would have some underground value to a spammer or cybercrime gang. Many scams begin with phishing emails that use convincing messaging purportedly from a trusted source to scam users out of passwords, credit card numbers and other sensitive data beyond personal contact information.
Vodafone said in a statement that it had changed administrators’ passwords and any digital certificates issued on their machines. The compromised server, meanwhile, has been wiped, the company said.
“Vodafone advises its customers to take extra care when possible [with] possible telephone or email inquiries in which they are asked to hand over personal information such as passwords or credit card information,” the company said in a statement, adding that Vodafone would not make such requests of its customers.
In this case, it appears only Vodafone Germany customers are at risk. Spam and phishing lists can be divided and sold regionally, by company or even by organization, experts say, facilitating targeted attacks for cybercrime and even nation-state sponsored attacks.
“Most organizational management and security teams understand what spear phishing is. The problem is they do not know how, or do not have the time and resources, to teach people what phishing is and how to detect or defend against it,” said Lance Spitzner, a SANS Institute instructor and proponent of awareness training. “Spear phishing works because people have not been trained on how to detect such attacks. Even if they do fall victim, if people can figure out after the fact they did something wrong and then report it right away, this is still a win.”
*Vodaphone image via tejvanphotos‘ Flickr photostream, Creative Commons.