Vodafone Iceland admits to “a terrible mistake” in not encrypting passwords and for not deleting customers’ communication data older than 6 months, as is the law.
As reported, a Turkish cracker attacked Vodafone Iceland’s website on Friday night and managed to steal nearly 80,000 files, including passwords, ID numbers and credit card numbers.
He or she later leaked the information on the internet, where anyone could browse through customers’ private text messages sent sometime between 1 December 2010 and 30 November 2013.
All in all, 300 Mb of data were stolen from the website.
Vodafone Iceland has reported the attack to the police and held a press meeting on Sunday afternoon to clarify the situation.
Ómar Svavarsson, CEO of Vodafone Iceland said that the company had often managed to fend off cyber attacks and that its core telecommunications system had never been cracked, MBL reports.
“The weakness was in our website and that’s what we’re to be blamed for,” he said at the press meeting.
Ómar said it was a mistake that data older than 6 months had been stored. “It is obvious that our storage time exceeded the time frame which is specified by law. We offered our customers to save messages from their own communications history on our website and in order not to do that, one needed to uncheck a certain box. Upon closer inspection we found older data in our back system, which now has been deleted. That’s where we made a mistake.”
He also admitted that passwords should have been encrypted and the fact that they weren’t were a terrible oversight. “That was a terrible mistake on our half. They were encrypted but at the back, they weren’t,” Ómar said, adding that in time would become clear whether the company is liable for damages.
The company is collaborating with a law firm to create a data room where Vodafone customers can check which information was leaked about them. Security measures are also being reviewed and an independent probe on the company’s security standards will be carried out.
At least one customer has already reported Vodafone to the police, for breaking the telecommunications law by storing data for longer than 6 months, DV reports.