Telefónica fined 1.3 million euros for a cyber attack that affected more than a million customers

The Spanish Data Protection Agency (AEPD) has fined Telefónica 1.3 million euros for a security hole discovered in September 2022 and which allowed a cyberattacker to obtain the personal data of more than a million customers of its subsidiaries Movistar and O2. The breach affected their phone numbers and technical data of both their Wi-Fi connections and their personal devices, including their access credentials (username and password).

The fine includes a penalty of 800,000 euros for not processing personal data in a way that guarantees adequate security, added to another of 500,000 for not applying technical and organizational measures to minimize the risk of cyberattack. The affected database contained the information of about six million customers.

The attack originated on September 16, 2022, when a person responsible for one of Telefónica’s teams detected an abnormal number of information requests coming from a worker through one of its internal applications. Mass requests, coming from a single user located in Lithuania, reached 4 million per day, while the usual consumption was 55,000 requests per day.

The company, however, did not block the employee’s profile until four days later, “after verifying, when said user returned from vacation, that he was not the one who was legitimately making the requests.” reads in the resolution. Telefónica then began an investigation that on September 23 concluded that everything was due to a security breach.

Although Telefónica notified the breach to the AEPD within the legally established period, the Agency considers that the company has not demonstrated that it has complied with the principle of proactive responsibility and the risk approach required by data protection regulations. The regulator has also rejected Telefónica’s argument that the landline number is not personal data, based on current regulations and the jurisprudence of the Court of Justice of the European Union.

The AEPD has determined that Telefónica thus committed “serious negligence” by not implementing appropriate security measures, taking into account its size and the volume of personal data it handles. Company sources have told elDiario.es that they will appeal the sanction before the National Court, although they have refused to make any further comments on it.