Telefonica, a Spanish based telecom operator, has a suffered data breach exposing personal data of millions of customers.
According to El Espanol, the hackers were able to exploit a vulnerability found in the company which leads to the security breach.
The breach came to notice when a moviestar user reported it to the FACUA, a non-profit consumer rights group in Spain.
The flaw allowed anyone to access the billing data of customers. To access the data, the users need to log in to the system, access their invoice and modify the URL.
The exposed data includes name, mobile and landline numbers, residential address, billing address, the name of banks where receipt are stored, billing and call history. All the data can be downloaded in CSV file format also.
FACUA said they have filed a complaint against the company with AEPD (Spanish Agency for Data Protection) which is an agency in charge of implementing the new GDPR data protection rules.
“According to the new rules established by the General Data Protection Regulation (RGPD), a violation of this type entails a notification to the Spanish Agency for Data Protection (AEPD). It is possible that this information should be complemented with a notification addressed to your own customers.” said in the post published by El Espanol.
According to GDPR rules the company may be fined between €10m and €20m or 2 to 4 percent of the company’s annual turnover.
However, Spain’s data protection law restricts these fine between €300,000 and €600,000.
The company said the investigation is still ongoing and they have informed the law and enforcement authorities and until there has been no traces of any fraudulent access.
FACUA notified the breach to the company on Sunday and flaw was fixed by the company on Monday itself.