A flaw in Telefonica Spain’s Movistar customer portal allowed customers to view any other user’s details, potentially exposing the personal information of millions of customers.
The flaw in question, an enumeration bug, meant that by simply changing the account ID in their online invoice’s URL, logged-in users could view other customers’ invoices with no additional authorisation required.
The bug was spotted by a Movistar customer and reported to consumer rights non-profit FACUA, which announced the breach on Monday 16 and filed a complaint with the Spanish Agency for Data Protection. Spanish data protection laws mean that the maximum fine which could be imposed is €600,000
According to FACUA, data which could be accessed included names, addresses, mobile and landline numbers, email addresses and breakdowns of calls.
El Español reported that national ID numbers and the name of the bank where the receipts are stored were also exposed, and that the information could be very easily downloaded in CSV format.
A Telefonica spokesperson told the press that the relevant authorities have been notified, and that no fraudulent access to the data had been detected. Telefonica also confirmed that the bug was resolved within a few hours of being reported.