Slashdot Mirror

← Back to Stories (view on slashdot.org)

Insider Steals Data of 2 Million Vodafone Germany Customers

Posted by timothy on from the your-information-is-very-important-to-us-please-hold dept.

wiredmikey writes "Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany. 'This criminal attack appears to have been executed by an individual working inside Vodafone,' the company said in a statement provided to SecurityWeek. 'An individual has been identified by the police and their assets have been seized.' The company said the attack was discovered on September 5, but said authorities had requested that the breach remained under wraps while an investigation was conducted. The data accessed by the attacker includes customer names, addresses, gender, birth dates, bank account numbers and bank sort codes, the telecommunications giant said. Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed, and no personal call information or browsing data was accessed."

40 comments

  1. Phase 2 of Verizon's plan... by Anonymous Coward · · Score: 1

    commencing.

    1. Re:Phase 2 of Verizon's plan... by Anonymous Coward · · Score: 0

      and what is the name of the vendor supposedly provided the work force here?

  2. So much for DLP... by Anonymous Coward · · Score: 1

    Vodafone have a group license for Symantec DLP - once again shown to be useless in the face of a determined data thief!

    1. Re: So much for DLP... by Anonymous Coward · · Score: 0

      Most data loss monitoring tools would have done a better job than DLP - with no where near the overhead on the systems. It's no coincidence that DLP software slows endpoints down - most of it is written by AV vendors!

    2. Re: So much for DLP... by cavtroop · · Score: 1

      DLP is not just on endpoints. There can also be appliances inspecting all outbound traffic (including SSL decryption if you want) and scanning all email, samba shares etc etc.

      having said that, I've dealt with DLP, and it only catches the stupid ones. Anyone with a little knowledge can usually bypass DLP fairly easily.

  3. It's no big deal by Anonymous Coward · · Score: 1

    Had it been the NSA stealing the data there wouldn't have been a problem nor arrests.

    1. Re:It's no big deal by cavreader · · Score: 0

      And if Snowden was the one who stole the data you would call him a hero.

    2. Re:It's no big deal by Anonymous Coward · · Score: 0

      You don't steal data, you copy it.

  4. So browsing history is 'saved'? by Skiron · · Score: 5, Insightful

    Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed, and no personal call information or browsing data was accessed."

    So, a simple statement that shoots one in the foot. They do save what users get up to on the web.

    1. Re:So browsing history is 'saved'? by lesincompetent · · Score: 1

      They've simply mentioned it en passant, you're not supposed to notice, let alone complain about it.

    2. Re:So browsing history is 'saved'? by Em+Adespoton · · Score: 1

      Please mod this up; it's important that people notice this detail.

      Also interesting to note that they appear to be playing down the fact that the information required to withdraw money directly from a bank account or set up automatic payments was compromised. It doesn't really matter if your credit card was stolen when the account that the card gets paid off from is in the hands of the attackers. They can easily apply for NEW cards with this information.

    3. Re:So browsing history is 'saved'? by V+for+Vendetta · · Score: 1

      [... ] or browsing data was accessed

      My guess is that they're talking about proxy servers here, which isn't too uncommon for ISPs.

    4. Re:So browsing history is 'saved'? by Anonymous Coward · · Score: 0

      They listed all sorts of stuff that wasn't accessed ... so what was accessed?

    5. Re:So browsing history is 'saved'? by NotQuiteReal · · Score: 1

      Who cares about credit card numbers? That's a problem for the credit card companies. Losing my bank account numbers and bank sort codes would effect me.

      --
      This issue is a bit more complicated than you think.
    6. Re:So browsing history is 'saved'? by aix+tom · · Score: 1

      Well to actually *withdraw* money they would either need my ID card (if they try to get it out of a human teller that doesn't know me personally) or my cash card and pin number (to get it at an ATM), too.

      To set up automated payments they would either also convince a human teller that they are me, or log into an on-line banking account with the login credentials the don't have.

      To apply for new cards the same thing.

      They *could* of course pull money out of my account via direct debit, but then I would have 6 weeks to reverse the transfer.

      "names, addresses, gender, birth dates, bank account numbers and bank sort codes" is (sans the birth date and gender) basically what is printed in most business letterheads anyway.

    7. Re:So browsing history is 'saved'? by Em+Adespoton · · Score: 1

      If they've got your name, address, bank account number and sort code, they can write a check or automated payment in your name. They MAY need your mother's maiden name as well as your DOB as verification, so you may be protected via them not having the maiden name. But that's not too difficult to find when armed with the rest of that info.

      I've never seen bank account and sort code printed in business letterhead; that move seems awfully risky. There's a reason banks recommend you not put your full name and address on your checks anymore; it's because all that information tied together is an excellent start point for identity theft.

    8. Re:So browsing history is 'saved'? by Anonymous Coward · · Score: 0

      They *could* of course pull money out of my account via direct debit, but then I would have 6 weeks to reverse the transfer.

      Up to 13 months if they can't provide an authorization from you to withdraw the money.

      But until you notice they can buy lots of stuff from Amazon with your account information.

    9. Re:So browsing history is 'saved'? by WoOS · · Score: 1

      they can write a check or automated payment in your name.

      No cheques anymore in Germany (and the rest of Europe) for decades. We use bank transfers for which you either need login credetials for the internet access to the account or a somewhat similar looking signature for a written transfer form. And a scapegoat whose account you can use as the target account. So the GP is right. Not enough information to withdraw money or transfer it. Maybe the US is a bit behind in this ;-)

    10. Re:So browsing history is 'saved'? by qaz123 · · Score: 1

      It's impossible in Europe to withdraw money from your account only knowing "name, address, bank account number and sort code".

  5. The data was "stolen" by fustakrakich · · Score: 1

    The new euphemism for handed over by "request".

    --
    “He’s not deformed, he’s just drunk!”
  6. Wow by return+42 · · Score: 1

    Somebody grabbed tons of personal data and it wasn't the NSA? Stop the presses!

    1. Re:Wow by Skapare · · Score: 1

      Who said it wasn't the NSA? Do you believe what you read on Slashdot.

      --
      now we need to go OSS in diesel cars
  7. Who's complaining? by Skiron · · Score: 1

    I don't use Vodaphone - morse code for me.

  8. Stolen? by Anonymous Coward · · Score: 0

    Stolen? Or copied?

  9. And yet again ... by Skapare · · Score: 2

    ... most businesses will accept this information as if it came from the original person, without really checking who it is coming from. And thus identity theft works ... not because the identity is taken, but because these businesses assume identity equals authorization.

    --
    now we need to go OSS in diesel cars
    1. Re:And yet again ... by Anonymous Coward · · Score: 0

      ... most businesses will accept this information as if it came from the original person, without really checking who it is coming from. And thus identity theft works ... not because the identity is taken, but because these businesses assume identity equals authorization.

      Not so much in Europe.

  10. Re:'An individual ... their" by Skiron · · Score: 1

    Learn to write American or don't write at all.

    Uh Umm. It's called ENGLISH. Bastardised German is as bad as English (US).

  11. Best thing by rainer_d · · Score: 1
    They have an online form where you can check if your data was in the compromised lot. It requires to enter your bank- details...

    That's so ..... fishy

    --
    Windows 2000 - from the guys who brought us edlin
  12. Actually quite a feat by gweihir · · Score: 2

    From what I hear from an insider, with the near-catastrophic state that Vodafone IT is in, getting this much data out is quite a feat.

    That may also be how the caught him: Even more catastrophically bad response times ;-)

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: Actually quite a feat by Anonymous Coward · · Score: 0

      I've heard similar stuff - their security implementation programmes are nearly a year behind schedule, mainly down to someone thinking it would be a good idea to hire CLAS consultants to implement everything. Like THAT'S going to get done in a timely fashion!

    2. Re:Actually quite a feat by Anonymous Coward · · Score: 0

      As far as I know, customer data is still transported between various internal systems with USB drives. There are disparate, somewhat incompatible systems that are cobbled together in various ways. I'm not surprised at all that some subset of the customer data is easy to access/export.

    3. Re:Actually quite a feat by gweihir · · Score: 1

      Hehehe, that would explain it. My source did not have that information.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. Re:'An individual ... their" by Anonymous Coward · · Score: 0

    "Their" is a possessive pronoun that is gender neutral. Since we don't know if the arrested individual was male or female using "their" is grammatically correct.

  14. Re:'An individual ... their" by Anonymous Coward · · Score: 0

    They're right in using their right there. But the thief is known (male), so his should have been used ... there.

  15. Misleading headline by Hentes · · Score: 1

    Insider Steals Data of 2 Million Vodafone Germany Customers

    Walking out with that many people without getting noticed would've been quite a feat.