The breach came to light after a Movistar user reported it to FACUA, a Spanish non-profit specialized in consumer rights protections. The user discovered that anyone with a Movistar account could view other users’ personal data, according to Bleeping Computer. The organisation says it notified Telefonica of the issue on Sunday, July 15, and FACUA announced the breach in a press conference on Monday, July 16, 11:00, local time.
FACUA says that the page for viewing Movistar invoices embedded the invoice alpha-numerical ID inside the online account URL. Any user modifying this ID could then access other users’ account data.
According to a FACUA spokesperson, the agency filed a complaint against Telefonica Spain and Telefonica Mobile with the Spanish Agency for Data Protection (AEPD), the national agency in charge of enforcing the new GDPR data protection rules.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now