The cybersecurity firm alleged that Vi mishandled the sensitive personal data of its users and was negligent
The telecom giant has refuted the data breach, calling the report false and malicious
Vi stated that vulnerabilities were identified, disclosed and fixed, and there was no data breach
According to a report released by the cybersecurity firm CyberX9, vulnerabilities with the telecom operator Vi (formerly Vodafone Idea) has exposed demographics, call records, phone numbers, internet usage details, credit limit, etc of 301 Mn customers. It added that 20 Mn of these were Vodafone Idea’s entire postpaid consumer base.
“This would permanently damage millions of Vodafone Idea customers’ privacy and security,” CyberX9 stated in a blog adding its suspects that these leaked data might have already been stolen by malicious attackers. It further stated that the nature of the data breach and vulnerabilities indicates negligence on behalf of Vi, which has mishandled the sensitive personal data of its users.
The data leak exposes Vi customers to spam calls, identity thefts, phishing, business email compromise (BEC) scams, extortion and income tax refund scams, CyberX9 claims. It further alleged Vodafone Idea of exposing sensitive data of several of its customers for the past two years, including 55 Mn users who have ported their numbers to other telecom companies.
Vi had over 247 Mn active subscribers at the beginning of the year.
The telecom giant later refuted the data breach, calling the report false and malicious.
In a statement days before CyberX9’s report, Vi has said that it found a potential vulnerability in its billing system via forensic audit, which was immediately fixed. It added that there was no data breach. It claims to have made due disclosures, including notifying the vulnerability to appropriate agencies and its users on its website.
The cybersecurity firm contested Vodafone Idea’s claim of a forensic audit, stating that a detailed forensic audit would require months.
This year, it is the second data leak report on Vi’s. In April 2022, a cybersecurity researcher and ethical hacker Sunny Nehra, alleged a directory leak of Vi customers on the dark web, most likely due to a weak ID password.