Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany.
“This criminal attack appears to have been executed by an individual working inside Vodafone,” the company said in a statement provided to SecurityWeek. “An individual has been identified by the police and their assets have been seized.”
The data accessed by the attacker includes customer names, addresses, gender, birth dates, bank account numbers and bank sort codes, the telecommunications giant said.
Vodafone said credit card numbers, passwords, PINs, and mobile phone numbers were not exposed. No personal call information or browsing data was accessed by the attacker.
The company said the attack was discovered on September 5, but said authorities had requested that the breach remained under wraps while an investigation was conducted.
German news agency DPA reported that the suspect had worked for a contractor of the company and was not a Vodafone employee.
"This attack was only possible with high criminal energy, insider knowledge and found hidden deep in the company's IT infrastructure instead," Vodafone Deutschland said in an online statement translated from German.
The breach is limited to customers in Germany who will be notified by mail.
Because the attack was conducted with insider knowledge, the company said it changed the passwords and certificates of all administrators, and completely re-installed (wiped) the affected server for security reasons.
The phone company did warn customers about possible Phishing attacks stemming from the breach, which could be used as a means to gather passwords and credit card information from customers.
Given the fact that the attackers have significant amounts of personal information, they have the ability to create highly customized phishing emails that could look legitimate.
Vodafone advised customers to take caution when receiving telephone or e-mail inquiries in which they are asked to hand over personal information such as passwords or credit card information.
“We have instructed independent security experts to advise on the potential implications for the individuals affected so we can offer them advice and take the best action to help them,” the company said. “In the absence of passwords, PINs or credit card details it is very unlikely that criminals would gain direct access to an individual’s bank account. However, there is a heightened risk that the criminals may request a fake direct debit application which would be immediately visible to the account holder and which could be immediately blocked or reversed under well-established banking protection measures.”
Vodafone said it would take all necessary steps to further improve the security of its systems to protect them from future criminal attacks.
This incident, along with recent headlines created by NSA leaker Edward Snowden, remind us that the insider threat is alive and well. However, while insiders are an important threat to protect against, Verizon's 2013 Data Breach Incident Report (DBIR) showed that insiders accounted for only 14 percent of the data breaches included in the report.
Earlier this month, Verizon agreed to pay $130 billion to buy Vodafone out of its 45 percent stake in Verizon's U.S. wireless business.
Related Reading: Network Security - Inside Out or Outside In?