Reused Passwords Expose 1,827 Vodafone Accounts

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Vodafone UK recently announced that it was targeted in "an attempt to access some customers' account details" between midnight on October 28 and noon on October 29, 2015.

The company immediately began an investigation, and notified the National Crime Agency (NCA), the Information Commissioner's Office (ICO) and Ofcom.

"This incident was driven by criminals using email addresses and passwords acquired from an unknown source external to Vodafone," the company stated. "Vodafone’s systems were not compromised or breached in any way."

Still, 1,827 customers' accounts were accessed, potentially providing the attackers with the affected customers' names, mobile phone numbers, bank sort codes, and the last four digits of their bank account numbers.

"The information obtained by the criminals cannot be used directly to access customers’ bank accounts," Vodafone stated. "However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts."

The 1,827 customers' accounts were all blocked on October 30, 2015, and the customers were notified. "We have already contacted the banks of affected customers to alert them to the situation and they are following established procedures in order to protect customers," the company said.

An NCA spokeswoman told the BBC, "The NCA can confirm that we have been contacted by Vodafone in relation to a compromise of customer data, and we are in dialogue with the company. Anyone who thinks they have been subject to attempted or successful fraud, or other online crime, should report it to action fraud at www.actionfraud.police.uk."

Tripwire security analyst Ken Westin told eSecurity Planet by email that it's unsurpising to see Vodafone's announcement so soon after the recent TalkTalk breach, since attacks often cluster around a single industry. "Those conducting the attacks are [not] compromising the systems and networks of the carriers, but instead targeting business partners looking for weaknesses there, or as is the case with this breach, using credentials compromised elsewhere to access customer data," he said.

"This particular breach reveals the need for users to ensure they are using unique passwords for each service, as well as the increasing need for carriers to deploy additional security measures such as two-factor authentication," Westin added. "Many of the carriers, email and social media providers actually provide two-factor authentication, however it is usually disabled by default."

"Service providers may want to look at providing more visibility as well as training and awareness around the security features they provide to protect accounts, and consumers need to start both understanding and implementing these features," Westin suggested.

Recent eSecurity Planet articles have examined the importance of user security training, and how to use two-factor authentication for mobile security.