On December 29, several newspapers spread the news of an alleged theft of customer data of the Italian telephone company ho., Owned by Vodafone. These articles referred to a very large number of users who would have personal data stolen. Many newspapers have written that the users at risk would be 2.5 million but in reality, at the moment, it is not possible to establish with certainty how many people the data has been stolen. I have. denied that there had been external access to its databases, but several users reported that they had actually suffered data theft.
The report of the data theft was made Tuesday on Twitter by the cybersecurity expert channel Bank Security which had also published a series of examples of the data that would be stolen, obscuring the personal ones. Bank Security wrote that the data was for sale on the dark web and that the theft could “presumably” involve 2.5 million personal customer data. So Bank Security has speculated that the theft could involve, as a potential basin, 2.5 million personal data, and not 2.5 million customers, as reported by several newspapers.
A Threat Actor is selling a Database of the Italian mobile service provider ho. (https://t.co/N5IYO88bja) owned by @VodafoneIT ????????.
The dump allegedly includes 2,500,000 customers' PII Data, Phone Numbers & ICCID that can be exploited for SIM swap attacks to empty Bank accounts. pic.twitter.com/yR193Mt3CS
– Bank Security (@Bank_Security) December 28, 2020
Among the stolen personal data there would be names, emails, work home addresses, social security numbers, VAT numbers, telephone numbers, but also the ICCID code, that is the one that identifies the SIM and allows its portability. I have. mobile, with a statement, denied that there was an attack, and a consequent theft of Ho's data. mobile: «With reference to some indiscretions published by the press – writes the company in the press release – I have. mobile has no evidence of massive access to its IT systems that have jeopardized the customer base data. In collaboration with the investigative authorities, we have initiated investigations for further investigations “.
Despite Ho's denial. mobile, several users have reported on social networks to recognize their data in those published by Bank Security, confirming that the theft would indeed have occurred, even if it is not possible at the moment to quantify its size.
https://t.co/bImvqHy7V9, I had confirmation from two of the ten users of the published list that the data are correct and that therefore the dataleak occurred, at least for those ten; which does not prove that it also happened for the 2.5 million
Vodafone continues to investigate
– alessandro longo (@AlessLongo) December 29, 2020
The risk for customers whose personal data has been stolen is above all what a technical term is called sim swap. This is a cyber attack that allows you to have access to the phone number of the legitimate owner and violate certain types of online services that use the phone number as an authentication system. Essentially the personal data stolen in the alleged attack on ho. mobile would be enough for hackers to create a new SIM in the name of a customer whose data has been stolen.
Using the new SIM in the name of the victim of the theft, the hacker could check the phone number and use it to receive two-factor authentication codes, a security system necessary for access to various services, including those of e- banking. Once logged in, he could have the money in his current account and make wire transfers. Anyone who has enabled the receipt of authentication codes via SMS is at risk for this scam. The ABI Lab, the research and innovation center for the bank promoted by the ABI (Italian Banking Association), in a study published in 2019, wrote that 90 percent of credit institutions reported fraud attempts with sim swaps and 40 per cent of these suffered actual losses.
On December 1, the Communications Authority (Agcom) published a resolution with new rules to make SIM swap more secure, precisely with the aim of protecting users from sim swaps. The resolution, which will come into force in 2021, provides that for SIM exchange requests via computer, “in addition to identification, as required by current regulations, a copy of the same documentation requested must also be sent in case contact the dealer. The data entry procedure should guarantee, however, that it will not be possible to finalize it if the scans of the aforementioned documents are not loaded into the system “.