Cybersecurity research firm CyberX9 says it has uncovered multiple vulnerabilities in the system of India telco Vodafone Idea that exposed sensitive and confidential call records and other personal data of around 20 million postpaid customers.
CyberX9 noted that the data also included those who have left Vi and those who only showed interest in getting a Vi connection, putting a total of 55 million people at risk of having their data stolen.
The firm said in a report Sunday that Vodafone Idea left one of the main discovered vulnerabilities open to cyber attacks for the last two years or so, and that the telco has been vulnerable during that time.
‘Massive troves of data’ exposed
CyberX9 said that it discovered vulnerabilities such as improper authorization and “Insecure direct object references (IDOR) vulnerabilities”, which exposed massive troves of data to the internet.
The report added that Vodafone Idea fixed the issue only after it was reported.
“Vodafone Idea had put millions of its customers’ data (call logs, etc.) at absolute risk and absolutely damaged their privacy of private lives due to Vodafone Idea’s carelessness towards the security of customer data,” the firm said.
The data exposed by the vulnerabilities included all call records (date/time, other phone number talked to, and duration), all SMS records, internet usage details, location details, full name, Vi phone number, and residential address, among others.
CyberX9 reported the vulnerabilities to Vodafone Idea on August 21, but the issues were only fixed five days later.
Vodafone Idea denies breach
However, Vodafone Idea has refuted the report, saying that there was no data breach. “The report is false and malicious. Vi has a robust IT security framework to keep our customer data safe. We regularly conduct checks and audits to further strengthen our security framework.”
That said, the CyberX9 report didn’t claim that a data breach had actually occurred – only that the data was exposed and at risk, and that there was “a high potential that these vulnerabilities were used in the last two years” by hackers to steal the data.
“There was no need to break any type of authentication on Vi’s systems as part of the vulnerabilities discovered in order to expose such data but rather just sequentially going up and down in a range of numbers as input to get data of millions of customers through API requests,” the firm said.
Vodafone Idea did admit having a potential vulnerability in its billing communications, which it claimed was immediately fixed – meanwhile, a thorough forensic analysis was conducted to ascertain that there was no data breach.
“We have notified appropriate agencies and made due disclosures. Vi customer data remains fully safe and secure,” the telco added in a statement.
Related article: IAMAI slams India’s cybersecurity rules as promoting fear over trust