Insider Steals Data of 2 Million Vodafone Germany Customers

wiredmikey writes "Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany. 'This criminal attack appears to have been executed by an individual working inside Vodafone,' the company said in a statement provided to SecurityWeek. 'An individual has been identified by the police and their assets have been seized.' The company said the attack was discovered on September 5, but said authorities had requested that the breach remained under wraps while an investigation was conducted. The data accessed by the attacker includes customer names, addresses, gender, birth dates, bank account numbers and bank sort codes, the telecommunications giant said. Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed, and no personal call information or browsing data was accessed."

So browsing history is 'saved'?

[Skiron]

Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed, and no personal call information or browsing data was accessed."

So, a simple statement that shoots one in the foot. They do save what users get up to on the web.

And yet again ...

[Skapare]

... most businesses will accept this information as if it came from the original person, without really checking who it is coming from. And thus identity theft works ... not because the identity is taken, but because these businesses assume identity equals authorization.

Actually quite a feat

[gweihir]

From what I hear from an insider, with the near-catastrophic state that Vodafone IT is in, getting this much data out is quite a feat.

That may also be how the caught him: Even more catastrophically bad response times ;-)