Security News > 2022 > February > Telco fined €9 million for hiding cyberattack impact to customers
The Greek data protection authority has imposed fines of 5,850,000 EUR to COSMOTE and 3,250,000 EUR to OTE, for leaking sensitive customer communication due to a cyberattack.
As the agency says in an announcement, COSMOTE infringed at least eight articles of the GDPR, including violating its duty to inform affected customers of the true impact of the incident.
An internal investigation conducted by COSMOTE in 2020 revealed that a hacker social engineered one of its employees through LinkedIn and later used brute-forcing tools to derive the target's account credentials.
The size of the stolen data amounted to 48GB. COSMOTE keeps call details on its servers for 90 days for service quality assurance, and maintains an anonymized version of the data for another 12 months for statistical analysis that helps in targeted service improvement.
Rough positional data of 4,792,869 unique COSMOTE subscribers.
MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. The above information could be used for highly targeted social engineering, phishing, and even extortion in some cases.