“Vodafone discovered and stopped the attack, and quickly filed charges,” Vodafone said in a statement. “The attack was only possible due to…insider knowledge, and occurred deep in the company’s IT infrastructure.”
Only German customers of the company, a subsidiary of the British telecom provider were targeted, Vodafone added that the cyber-criminal did not obtain access to mobile phone numbers, passwords, PIN numbers or credit card details to plunder bank accounts.
However the mobile operator warned its customers that criminals who got hold of the sensitive data could try to get extra information about passwords and credit cards through so-called “phishing” messages and fake e-mails.
“This may well be one of the largest cases of personal data thefts for German customers,” Mikko Hypponen, chief research officer at internet security company F-secure told Reuters.
Meanwhile the suspect behind the hack has been identified and his home was reportedly searched. The suspected IT systems administrator worked for a company contracted by Vodafone and had access to the company’s data, but hacked into the server to obtain the information, Vodafone Germany spokesman Alexander Leinhos said as cited by Deutsche Welle.
A Vodafone spokesman cited by the Wall Street Journal said the incident happened on September 5 but the company disclosed it only on Thursday so as not to endanger the police investigation.
“Vodafone deeply regrets the incident and apologizes to all those affected,” the operator said in a statement adding that it will directly inform the two million victims.
“In coordination with the authorities, Vodafone Germany is now fully informing all affected persons and supporting them in avoiding possible adverse effects.”
Vodafone has about 32 million mobile phone customers and more than 3 million telecommunication customers in Germany.
In a previous major data theft scandal that also involved Germany almost 80 million user accounts of Sony’s PlayStation Network were hacked more than two years ago.