The telecom operator, however, denied any data breach and claimed the report was false and malicious.
The CyberX9 report, released on Sunday, claimed that the information of Vodafone Idea (Vi) customers being exposed to the internet includes but is not limited to, all call records comprising date and time, other phone number they talked to, and duration, all SMS records, internet usage details , location details , full name, Vi phone number, residential address, alternate contact number, bill payment transaction details, plan details, bill details of many months, credit limit, and so on.
It urged the government to order an independent and fair security audit of Vi as it has been exposing millions of customers’ call logs and other sensitive and confidential data for at least about the last two years. In that massive time period, multiple criminal hackers might have stolen this data, it alleged.
CyberX9 also claimed that it shared the findings of the report with Vi on August 22 and that a Vi company official had acknowledged the vulnerability on August 24.
Rejecting the report as false and malicious, Vi said it has a robust IT security framework to keep customer data safe and regularly conducts checks and audits to further strengthen its security framework.
Discover the stories of your interest
“We learnt about a potential vulnerability in billing communication,” the company said in a statement. “This was immediately fixed, and a thorough forensic analysis was conducted to ascertain no data breach. We have notified appropriate agencies and made due disclosures. Vi customer data remains fully safe and secure.”
CyberX9, in its report, claimed the discovered vulnerabilities in Vi’s systems were “extremely easy to discover and exploit by anyone with good computer knowledge”.
“The vulnerabilities discovered were improper authorisation and IDOR (insecure direct object references) vulnerabilities, leading to exposing the massive amount of sensitive data to the whole internet… There is high potential that these vulnerabilities were used in this ~2 year timeframe by malicious hackers to steal all the data,” the report stated.