Vodafone Germany Breach Impacts Millions


German mobile phone operator Vodafone acknowledged a data security breach Thursday, announcing that an attacker gained access to a system containing the personal information of at least 2 million of its customers.

The Dusseldorf, Germany-based company said the attacker gained access to names, addresses, dates of birth, gender and account numbers of its customers all located in Germany. The firm said investigators determined that no credit card information, passwords or connection data were exposed in the breach.

Vodafone advised its customers to be cautious of unusual phone calls and email inquiries as a result of the data breach. The company also recommended that account holders check their bank statements for irregularities.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

"It is hardly possible for the offender to directly access the stolen data to the bank accounts of those affected," the company said in a translated statement, acknowledging the breach. It also warned about the potential for phishing attacks by people who could try to retrieve more information, such as passwords and credit card information.

The breach has been contained, and Vodafone said law enforcement has a suspect and continues to investigate the incident. It also is making network improvements and other security measures to better safeguard its data.

Security experts told CRN the incident is an example of the extent hackers will go to get their hands on any information they can, with usernames and passwords being the most valuable data. Ultimately, the data is sold to other cybercriminals on the black market who can use it for phishing attacks and social engineering tactics. The information that was taken contained valuable details for an identity thief, and could be the stepping stone required for a carefully engineered attack designed to hit customers, said Graham Cluley, an England-based security expert.

"The good news is that a suspect has been identified by the authorities, and -- if he was the person responsible -- he may not have had the opportunity to sell the information on to other criminals," Cluley told CRN. "Questions still need to be asked as to how a hacker was able to compromise Vodafone's systems and make off with the details of so many users."

PUBLISHED SEPT. 12, 2013