Security researchers recently reported a data breach incident on one of India’s major telecommunication firms, Vodafone Idea, allegedly exposing sensitive credentials of about 20.6 million people online. The Indian telco confirmed the incident last August 22, but they denied that there were compromised data leaked publicly.
Based on the initial reports, the data included in the breach were customers’ names, residential addresses, call logs, SMS details, transaction data, internet plans and usages, and more.
The Indian telco firm clarified that they discovered a flaw in their system, but no data breach has happened, as security researchers report.
From a statement, Vodafone Idea said that the data breach reports against their company were false and malicious. They also added that the cybersecurity incident was only about a potential vulnerability they had found in their billing communication, which was patched immediately alongside undergoing thorough forensic analysis.
Furthermore, the Indian telco stressed that its security framework is robust, thus keeping customer data secured and safe from compromise.
The researchers who have reported the alleged data breach on Vodafone Idea disproved, adding that when the Indian telco reported the discovered flaw, they did not fix it for days which could have been the reason for the data breach.
As detailed in the researchers’ report, the discovered security flaw on Vodafone Idea involved improper authorisation and insecure direct object references (IDOR) or access control vulnerabilities. This flaw purportedly exposed massive critical customer data on the internet and might have been abused by threat actors over the last two years.
Several relevant authorities, such as CERT-In, NCIIPC, TRAI, and other regulatory agencies, were contacted by the Indian telco firm and the security researchers upon learning of the incident. Meanwhile, Vodafone Idea emphasised that their customers’ data are safe from breaches, and they have regularly conducted security and audit checks on their security framework to strengthen it.
More updates are looked forward to and will be shared once further details are learned about this issue.