Cyber Incident Victim: Vodafone España
Date:
Nov 2023
Location:
Spain
Summary
A cybersecurity breach at a third-party collaborator compromised personal and banking data of a limited number of Vodafone España customers, exposing Spanish national IDs (DNI), bank account details, contact information, and email addresses. The company confirmed unauthorized access to the collaborator's systems, impacting business clients, authorized users, self-employed individuals, and private customers, though prepaid clients' bank data remained unaffected. No passwords were compromised. The incident, resolved following internal and external security protocol activations, prompted notifications to Spain's national cybersecurity institute and data protection authority. Affected users were advised to monitor for unauthorized bank transactions and fraudulent contact attempts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around November 22, 2023, Vodafone España disclosed a data breach affecting a limited number of its customers in Spain. The incident originated from an unauthorized intrusion into the systems of one of Vodafone’s third-party collaborators, not its own infrastructure. Exposed data included national identity numbers (DNI) and bank account details for postpaid customers, though prepaid customers’ banking information remained unaffected. The breach compromised information across multiple client categories: enterprise accounts (company name, tax ID, contact number, email, address, bank account), authorized representatives (full name, contact number, DNI copy), self-employed individuals (name, surname, DNI, contact details, email, address, bank account), and private customers (DNI data, contact phone, email, bank account, and contracted phone number). Vodafone did not publicly quantify the exact number of affected individuals but emphasized the breach was contained to a limited subset of clients. The company became aware of the incident through its collaborator and initiated an investigation alongside external security protocols. No evidence suggested compromised passwords or direct infiltration of Vodafone’s networks.
Vodafone notified affected customers directly, advising vigilance against unsolicited requests for personal information and caution regarding unsecured websites. The incident was reported to Spain’s National Cybersecurity Institute (Incibe) and the Spanish Data Protection Agency (AEPD). Incibe assessed the breach as high severity (level 4 out of 5) and confirmed the absence of exposed credentials. While Vodafone stated the issue was resolved, Incibe provided additional guidance to victims, including monitoring for unauthorized bank transactions and documenting potential fraud for law enforcement. The collaborator’s identity remained undisclosed, and no attacker attribution or motive was revealed. Impacts centered on identity theft and financial fraud risks due to the exposure of sensitive identifiers and banking data. Vodafone highlighted its international cybersecurity team’s ongoing monitoring efforts but did not specify technical remediation steps taken by the collaborator.