Vodafone in Germany has found itself in the awkward position of admitting to two million customers that a hacker has stolen their personal information.
Although the hacker did not manage to get their hands on customers’ passwords, mobile phone numbers or PIN codes, they did access users’ names, genders, addresses, dates of birth, bank account numbers and sort codes.
In its official statement, Vodafone Germany expressed its regret and attempted to reassure affected customers by saying:
“It is hardly possible to use the data to get directly access to the bank accounts of those affected”
Well, perhaps that’s true. It’s certainly the case that things would have been much worse if passwords and PIN codes had been include in the hoard stolen by the hacker.
However, the information that was taken are still valuable pieces of information for an identity thief, that can help them piece together a carefully engineered attack designed to impact innocent people.
When you tell a company like Vodafone your address and date of birth, you have an expectation that they will secure the information properly - and that it won’t fall into the hands of hackers.
By the way, although Vodafone Germany’s advisory is ambiguous about whether email addresses were also grabbed by the hacker, seeing as the company is warning of the risk of phishing I think it would be sensible to assume that they could have also been compromised.
The BBC reports that the German authorities have already identified and searched the property of a suspect, and one has to hope that this might indicate that the stolen information has not been distributed through the computer underground.
But let’s not relax too much. This hack shouldn’t have taken place in the first place, and Vodafone will hopefully be investigating as a matter of priority how it managed to occur.
Vodafone, one imagines, will be keen to check whether the vulnerability that allowed a hacker to access details of its German customers is also present on its many other sites around the world.