CyberX9 says Vi’s postpaid data compromised; telco junks claims

A cybersecurity firm in its report has said that telecom service provider ‎Vodafone Idea exposed sensitive and confidential call‏‏‎ ‎records and other personal data of its customers due to vulnerabilities in its system, though Vodafone Idea (Vi) has said there was no “data breach”, while adding that the report is “false and malicious”.

According to the report by cyber security company CyberX9, multiple critical security vulnerabilities in Vi’s systems exposed call records of its around 20 million postpaid customers and their personal details. CyberX9 is a Chandigarh-based cyber security firm that helps businesses against cyber attacks.

The CyberX9 report claims the flaw in Vi’s systems exposed customers’ sensitive and confidential personal data, including call logs of nearly 301 million customers. It adds that Vi this vulnerability made Vi’s system open for cyberattacks for the past two years. “Vi only fixed the data expose only after we discovered," it claimed.

In response to the report, Vodafone Idea has said it has a robust security framework, and that the vulnerability found in the billing communication was fixed as it learnt about it. "Vi has a robust IT security framework to keep our customer data safe. We regularly conduct checks and audits to further strengthen our security framework. We learned about a potential vulnerability in billing communication. This was immediately fixed and a thorough forensic analysis was conducted to ascertain no data breach.”

Vodafone Idea has also said that it has notified “appropriate agencies and made due disclosures. Vi customer data remains fully safe and secure”.

As per the report, the information that could have been exposed includes call records, SMS records, internet usage details, location details, full names, phone numbers, residential addresses, alternate contact numbers, bill payment transaction details, plan details, bill details of many months, credit limit, and so on. Mobile internet details, value-added services details, plan details, credit limit, and bill details could also have been exposed.

“All of these discovered vulnerabilities were possible to be used for large scale automated exfiltration of sensitive and confidential user data without any restrictions by Vodafone Idea’s systems,” claims the report.

The CyberX9 report comes days after another cybersecurity company Recorded Future found that the National Informatics Centre (NIC), which manages IT infrastructure and services for the central government, was targetted by China's state-sponsored hackers' group RedAlpha. NIC, which operates under the Ministry of Electronics and Information Technology (MeitY), is the tech partner of the government. It said the China-backed hackers’ group has consistently spoofed login pages for the NIC. Apart from India, Red Dev 3, aka DeepCliff, RedAlpha conducted a multi-year credential theft campaign, targetting global humanitarian, think tanks, and government organisations, says the latest report by cybersecurity company Recorded Future.

Reacting to the news, Vodafone Idea shares were trading down 1.64% at ₹8.95, largely in line with the benchmark BSE Sensex, which tumbled 1.39%.