Incibe makes security recommendations to those affected

The systems of one of Vodafone’s collaborators have suffered a ‘hack’ that has exposed different personal and banking data of a “limited number” of the company’s clients in Spain, as reported by the company, which has not revealed the volume of affected users and has stressed that the incident has already been resolved.

The personal data exposed are, as the company has transferred to the affected users, the DNI and the bank account. “If you are a prepaid customer, your bank account is not affected,” the company has clarified.

In that sense, Vodafone has acknowledged the incident and explained that it was due to “unauthorized access” to the systems of one of its collaborators.

“As a consequence, some data of a limited number of customers has been affected. As soon as Vodafone became aware of the incident, it began to investigate this event with the collaborator. Likewise, the corresponding security protocols, both internal and external, were activated. “, the company has detailed.

In its communication with affected customers, the operator has recommended users not to access unsafe websites and not to provide personal information if they are contacted by any means.

“Vodafone takes security very seriously and has an international team of cybersecurity professionals who continuously monitor, protect and defend its networks. This incident has been notified to the National Cybersecurity Institute of Spain (Incibe) and the Spanish Protection Agency of Data (AEPD)”, the company added.

In that sense, Incibe has classified the incident with a high level of importance (four out of five) and has indicated that the affected data does not include access passwords.

Thus, it has added that the compromised information is associated with company accounts (name, CIF, contact number, email, address and bank account of company clients) and its authorized persons (name and surname, contact number and copy of the DNI). ).

Also to self-employed workers (name, surname, ID, contact number, email, address and bank account) and individuals (ID details, contact telephone number, email, bank account and contracted telephone number).


In relation to this incident, Incibe has given a series of recommendations to users who have received the notice from Vodafone.

Thus, it recommends that users do not open links in case they are asked for data posing as their bank and that they do not provide personal information or information related to their card or bank account.

“Change the access codes to the platforms you have related to the payment of your telephone lines. Do not provide your password or PIN, Vodafone will never request said information by SMS, email or call. If any unauthorized charge is made on your bank account, immediately contact your bank and collect evidence of the fraud to be able to file a complaint with the State Security Forces and Bodies. You can use ‘online’ witnesses for this function,” he adds.

“If you want to check if more personal data has been affected, use ‘egosurfing’ to see if said information was published on the Internet,” Incibe added.