Vodafone-Idea denies allegations of data breach

A cyber security research firm has claimed that the call data records of over 300 million Vi (Vodafone Idea) customers - including its 20 million post-paid consumer base - were leaked due to vulnerabilities in the company’s systems. The telecom company however denied the data breach, calling the report “false and malicious”. 

In a report released by the cybersecurity firm CyberX9, vulnerabilities with the telecom operator Vi has exposed demographics, call records, phone numbers, internet usage details, credit limit, and other details of over 300 million customers overall. 

“This would permanently damage millions of Vodafone Idea customers’ privacy and security,” CyberX9 stated in a blog adding that these leaked data might have already been stolen by malicious attackers. It further stated that the “nature of the data breach and vulnerabilities indicates negligence on behalf of Vi, which has mishandled the sensitive personal data of its users”. 

The telco, however, said that there was no data breach and potential vulnerability in its billing communication was immediately fixed after it learned about it.

CyberX9’s founder and managing director Himanshu Pathak said in a statement that the firm had “shared entire findings with Vodafone Idea through email on August 22 and a company official had acknowledged the vulnerability on August 24.” 

However, Vodafone Idea alleged that there is “no data breach as alleged in the report. The report is false and malicious. Vi has a robust IT security framework to keep our customer data safe.”

"We regularly conduct checks and audits to further strengthen our security framework. We learnt about a potential vulnerability in billing communication. This was immediately fixed and a thorough forensic analysis was conducted to ascertain no data breach," it said. 

"Vi was exposing millions of customers call logs and other sensitive data for at least last about two years. In that massive time period, multiple criminal hackers might have stolen this data,” said the CyberX9 report, adding that "It is absurd and baseless claim of Vi that they've done a forensic audit and no breach was found. Such a detailed forensic audit would at least take couple of months to be done.” 

It also claimed that personal data of 55 million people, including those who have left Vi and those who only showed interest in getting a Vi connection, was at risk.

Vi had over 247 million active subscribers at the beginning of the year.

In November 21, 2021, CyberX9 had found vulnerability in the server of Punjab National Bank allegedly exposed the personal and financial information of its about 180 million customers for about seven months. The cyber security firm claimed that the vulnerability provided access to the entire digital banking system of PNB with administrative control. 

While the bank had confirmed the glitch it denied any exposure of critical data due to the vulnerability. nonetheless, PNB said that it "server was shut down as a precautionary measure."