This Monday, the association of consumers Facua has published a press release to publicize all the details about a security bug in the Movistar website that allowed access to the billing data of their customers, including names, addresses, email addresses, and numbering, as well as the breakdown of their calls. But breaking all the rules on notifications of this type of faults, despite having knowledge of the problem since Thursday of last week, only told to Telephone at the last minute on Sunday, with the warning that they would publish the judgment the following morning, as reported by the specialized medium ADSL Zone.
The fault consisted in that any user of Movistar, once inside the system after you enter your ID and password, and request the display of an invoice, the URL (web address visible in the browser) showed the number of the invoice that we were seeing. It was enough to change that number for any other invoice to be able to see it, even though we had that hit with a real number. A system programmed correctly it would have found that invoice number matched with the user prior to displaying it.
Telefónica was forced to remove functionality from its website to prevent the data of their customers continue exposed, so had to work from dawn to cut the access to the call version “interactive” of the invoices issued from August 2017 instead of correcting the problem. The usual way of communicating these faults included giving the company a deadline to correct the error. For example, the division of Google responsible for search problems of computer security gives 90 days to the companies to fix them before making them public.
According to Facua, this is “the biggest security breach in the history of telecommunications in Spain”. According to Telefónica, the number of customers actually affected has been of 80, with which you would be putting in contact. In any case, not having adapted yet to the european regulation of data protection to the Spanish regulations, the fines faced by the operator would be of a maximum of 600,000 euros.