Cyber Incident Victim: Vodafone GmbH
Date:
May 2023
Location:
Germany
Summary
A cyber attack targeted Vodafone's external sales partner, Vertriebswerk, compromising a platform used for newsletter sign-ups and contract activations. Unauthorized actors copied email addresses and their associated passwords. While the company stated there was no concrete evidence that more sensitive data like names, addresses, and bank details were taken, it proactively reset passwords for approximately 7,500 customers as a precaution. Vodafone took the affected partner portals offline and informed the relevant data protection authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 16, 2023, a cyber incident occurred targeting Vertriebswerk, an external sales partner of the telecommunications company Vodafone. The incident involved an attack on two specific online portals, aktivieren.vodafone.de and vorteilstarife.net, which were operated by this third-party service provider. These platforms were used for customer acquisition, allowing individuals to sign up for a Vodafone newsletter, create an account, and conclude customer contracts with Vodafone under advantageous terms. Unknown attackers successfully breached this external platform and copied data. Vodafone stated that the attackers copied email addresses along with their associated email passwords from the system.
In response to the attack, Vodafone took the precautionary measure of taking the affected Vertriebswerk-operated platforms completely offline and out of operation to prevent further unauthorized access. The company immediately initiated its incident response procedures. This included filing a criminal complaint with the relevant law enforcement authorities to begin an official investigation into the breach. Vodafone also fulfilled its regulatory obligations by promptly informing the Federal Commissioner for Data Protection and Information Freedom (BfDI) of the security incident. The criminal and internal investigations into the full scope and details of the attack were reported as still ongoing at the time of the disclosure.
While the primary confirmed data exfiltrated consisted of email addresses and their passwords, Vodafone began notifying a larger group of customers about a potential compromise of a broader set of sensitive information. Through direct email communications, Vodafone informed these customers that the intruders may have copied sensitive data, listing affected elements as name, date of birth, email address, mobile number, physical address, bank account details (IBAN/BIC), and their customer password. The company stated that no misuse of any stolen data had been identified at that time, and there were also no concrete indications that data beyond the email credentials had actually been copied. However, proceeding with an abundance of caution, Vodafone took action to protect potentially affected customers.
As a direct containment measure, Vodafone proactively reset the passwords for approximately 7,500 customer accounts believed to be at highest risk. The company then sent out SMS messages to these individuals to alert them to the incident and the action taken. The primary remediation step required affected customers to assign a new password to regain access to their accounts. To facilitate this, Vodafone provided detailed instructions, including a PDF guide. This guide was particularly aimed at customers who did not yet have a MeinVodafone online customer account, as it contained a form to request a password change via postal mail or fax, ensuring all customer segments could be served.
Vodafone conducted internal reviews of its own core systems and infrastructure to assess any potential lateral movement or broader impact from the partner breach. The company reported that its own analysis found no evidence of misuse within Vodafone’s internal IT systems. Despite this finding, the company’s IT security teams maintained a heightened state of alertness and were prepared to take immediate further measures should the investigation reveal any additional downstream effects from the incident on Vertriebswerk.
The company provided guidance to customers on monitoring for potential misuse of their personal data, even though no actual misuse had been detected. Customers were advised to carefully monitor their bank accounts for any unexpected movements or unauthorized debits. They were also instructed to vigilantly monitor their Vodafone customer accounts for any unusual or unexpected changes. Furthermore, Vodafone warned customers to be particularly alert to an increase in phishing attempts via phone calls, emails, or SMS messages that might leverage the stolen data, emphasizing that customers should never provide passwords or other sensitive data in response to such unsolicited communications. Customers with concerns were directed to initiate contact themselves using official Vodafone contact channels.
The incident highlighted the risks associated with supply chain and third-party vulnerabilities, as the attack did not target Vodafone’s primary infrastructure directly but rather a smaller partner company that operated customer-facing portals on its behalf. The operational impact for Vodafone included the temporary loss of two specific sales and activation channels, disrupting a method for new customer acquisition. The full reactivation of the Vertriebswerk-operated sales platform was stated to be planned for the near future once security concerns were addressed. The broader consequence was the potential exposure of customer data, necessitating a large-scale customer notification and password reset operation, alongside ongoing criminal and regulatory investigations.