Cosmote fined €9 million for mishandling cyberattack

Back in September 2020, Greece’s largest mobile operator, Cosmote, was the victim of a cyberattack by an unknown party. 

 

A subsequent investigation revealed that the hacker had used social engineering techniques against one of the operator’s employees via LinkedIn, then used a brute-force method to break into the victim’s account. The malicious actor then used the employee’s account to steal around 48GB of customer data across five separate visits.

 

This data stolen reportedly contained sensitive information, including the rough positional data of almost 4.8 million Cosmote subscribers, as well as their age, gender, plan, and average revenue per user (ARPU) for around 4.2 million of these subscribers. It also included MSISDN/CLI (i.e., uniquely identifying subscription numbers) for around 7 million people that contacted the impacted Cosmote subscribers during this period.

 

All of this data could, theoretically, be used for a variety of criminal activity against the affected customers, including social engineering scams, phishing, and potentially even extortion. 

 

Now, Cosmote is coming under fire from the data protection authority for its mishandling of the situation, with an investigation not only finding that Cosmote did not explain the severity of the data leak to affected customers, but had also failed in applying data protective measures correctly.

 

The company is legally allowed to store the customer call data for up to 90 days for service quality assurance purposes, as well as holding it for a further 12 months after the data has been anonymised. However, the result of the investigation suggests that this anonymisation process was not completed properly and the data was, in some cases, held for longer than regulations allow. 

 

Combined, this meant that the hacker had access to a larger and more sensitive cache of customer data than should have been available. 

 

In total, Cosmote’s handling of customer data and its response to the cyberattack were ruled to have infringed GDPR in at least eight different ways. Thus, the authority has issued Cosmote a fine of €5.85 million, with parent company OTE also receiving a fine of €3.25 million.

 

Cyberattacks against telecoms operators have been growing in number for years now, leaving telcos racing to improve network security. Perhaps the most notable breach last year took place in August, when a hacker accessed 50 million customer records from US operator T-Mobile.

 

 

 

Also in the news: