Cyber Incident Victim: Vodafone Portugal
Date:
Feb 2022
Location:
Portugal
Summary
Vodafone Portugal suffered a deliberate cyberattack disrupting 4G/5G networks, fixed voice, television, SMS, and customer support services nationwide. The company restored mobile voice services and limited data access via 3G, but full recovery required extended efforts with national and international teams. No customer data compromise was detected, and an investigation involving authorities was ongoing. The incident impacted millions of mobile and internet subscribers, highlighting significant operational challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of February 7, 2022, Vodafone Portugal experienced a widespread network disruption caused by a deliberate and malicious cyberattack designed to inflict damage and operational chaos. The attack primarily targeted data network-dependent services, including 4G/5G mobile data, fixed voice communications, television broadcasts, SMS messaging, and voice/digital customer support channels. Vodafone’s security teams detected initial network anomalies shortly after the attack commenced, triggering an immediate response to identify and contain the intrusion. By February 8, the company had partially restored mobile voice services and reinstated mobile data access exclusively through the 3G network across most of Portugal, though at significantly reduced speeds capped at 3MB/sec. The outage impacted Vodafone’s entire customer base, comprising over four million mobile subscribers and 3.4 million home and business internet users, creating nationwide service accessibility challenges.
Vodafone initiated a multi-phase recovery effort involving national and international technical teams alongside external partners, anticipating progressive service restoration throughout February 8. The complexity and severity of the attack necessitated extended, meticulous remediation work for all non-restored services, with no immediate timeline for full recovery. Vodafone launched an indefinite investigation in collaboration with law enforcement agencies, though preliminary findings revealed no evidence of customer data access or compromise. The company declined to disclose technical specifics of the attack vector or perpetrator identity in its public statements. Independent cybersecurity researchers cited by external media suggested potential ransomware involvement, though Vodafone did not confirm this attribution. Service restoration priorities focused on rebuilding core network infrastructure while mitigating further disruption risks, with Vodafone committing to ongoing public updates as recovery progressed.