- Hackers managed to obtain data of 12,013,928 users through COSMOTE due to an error by an employee of the company.
- During the transfer of a telephone connection from Cosmote to Vodafone, an individual used another user’s phone for a few days, while if one called his own personal phone, another user also answered.
- OTE provided 756,700 routers with common passwords.
- A series of complaints against Vodafone and Forthnet.
- Between 2017 and 2022, ADAE imposed fines totaling €7.2 million on mobile operators. For the same period, the profits for OTE and VODAFONE alone amount to 13 billion euros.
by Data Journalists
Serious issues are raised regarding the privacy of the communications of millions of mobile phone users in our country, as revealed through official documents and decisions of the Independent Authority for the Safeguarding of Communications Privacy (ADAE).
Data Journalists today open the “black box” of systematic violation of communications privacy due to shortcomings of mobile phone companies in terms of the security measures they take. In hundreds of cases in recent years, ADAE has fined VODAFONE, COSMOTE, OTE, and FORTHNET for privacy violations on their own responsibility.
In one case, hackers managed to obtain the personal data of millions of COSMOTE users because of a mistake by a company employee with passwords and social media. In another case, during the transfer of a telephone connection from Cosmote to Vodafone, an individual used another user’s phone for a few days, and if one called his own personal phone, another user also answered.
These are just two of the hundreds of cases identified by ADAE, some of which have been brought to justice, unfortunately not on the Hellenic Public Prosecutor‘s initiative. Although they are obliged by the Constitution and legislation to prevent such incidents and to implement a specific security policy, the mobile phone companies do not seem to be doing the right thing.
At the same time, what emerges from Data Journalists’ investigation into the companies’ profits and the fines imposed on them is striking. Although the profits amount to tens of billions of euros for the years 2017 – 2022, the fines do not exceed EUR 7.2 million. But let’s take a closer look at what emerges from the Data Journalists survey.
They mixed up the lines during the transfer from Cosmote to Vodafone
In March 2017, businessman George Floras filed a written complaint with ADAE regarding a possible “violation of the existing legislation on communications privacy” by COSMOTE. The complaint concerned a specific incident during the transfer of a telephone connection from Cosmote to Vodafone. As Mr. Floras found, for two weeks his telephone line had been used by another user, while he had been using the telephone connection of another user. It was obvious that something wrong had happened.
In March 2018, ADAE decided to carry out an extraordinary audit at COSMOTE and VODAFONE. Indeed, a team of ADAE visited the premises of the two companies. The team found that something wrong had indeed happened. Specifically, that from February 20, 2017, to March 3, 2017, Mr. Floras used a telephone connection that did not belong to him, and when someone called his number, another user answered. The ADAE’s team attributed this problem to “incorrect mixing of the complainant’s connection by a technician of the OTE company in the context of the implementation of portability of the said connection to the Vodafone network during the period of the failure from 20.02.2017 to 03.03.2017”.
In November 2020, ADAE decided to summon COSMOTE for a hearing. On March 19, 2021, OTE, in a written memorandum sent to ADAE, did not substantially contest the facts that ADAE had found.
At the same time, OTE attributed “the incorrect cross-mounting to human error, and any such error can only be detected after a complaint”.
Finally, in its decision No 233/2021, ADAE found “unanimously that OTE was liable “for the attributed breach of the applicable legislation on the confidentiality of communications due to the incorrect multiplexing”. According to the decision of ADAE, the incorrect “multiplexing” was caused by an error on the part of the competent technician of OTE who undertook to carry out the transfer.
233/2022 (pdf here)
It is astonishing that in 2023, a telecommunications giant like COSMOTE could risk the security of its customers’ conversations and the company’s own reputation because of a human error. For this case, the majority of ADAE imposed a fine of EUR 20,000 on OTE.
Hackers intercepted the data of 12,013,928 million users
225/2022 (pdf here)
The Floras case is not the only one concerning mobile telephone companies. In September 2020, a strange incident took place. Hackers attacked COSMOTE and intercepted the data of millions of users, trashing the company’s security systems. In fact, the company itself informed ADAE about the incident, submitting a report. In its report, COSMOTE underlined that after an investigation had been carried out, a “30GB file was found stored on the server”. The file contained COSMOTE subscriber communication data for the period 1/9/2020 – 5/9/2020″.
It had also found “30GB of internet data traffic between the server and an external IP, which belongs to a Lithuanian Hosting Provider”, the company claimed. In its decision number 227/2020, ADAE decided to investigate the incident.
Indeed, in November 2021, an ADAE audit team completed the audit and drafted a report. Its results were chilling: hackers had carried out an attack on COSMOTE and had managed to obtain the personal data of millions of users.
Specifically, according to the report of ADAE, the hackers obtained “the traffic data and base station coordinate for 4,792,869 unique COSMOTE subscribers”, “the MSISDN/CLI, 6,939. 656 users of other domestic fixed & mobile telephone providers who called or were called by COSMOTE subscribers” and “the MSISDN, IMEI, IMSI and base station coordinates for 281,403 roaming subscribers who made calls via COSMOTE’s mobile network” according to the report.
The access codes in social media
The most impressive, however, is the way the hackers managed to break COSMOTE’s confidentiality. According to the audit report, “…the attacker gained administrative access to the servers of the infrastructure…., using the credentials of an administrator whose password was found in lists maintained by hackers with leaked passwords databases from social media (LinkedIn, Facebook, etc.) and other services…”.
In other words, as ADAE auditors state in their report, “a database maintained by hackers contained data identifying the company and the access account (username and password) of a COSMOTE employee, who had administrator rights in the company’s Information and Communication Systems (ICS).
In fact, as the auditors found, “the critical data of the company employee’s access account, which were intended for use in the company’s ICS” may “have been used in personal, non-company applications/services, from which they were leaked”. The ease with which the recklessness of a private company employee can expose millions of users of a telecommunications giant is staggering.
In the end, in its decision No 225/2022, ADAE found COSMOTE responsible for “the leak of company and account identifiers (username and password)” and imposed a fine of €200,000. Furthermore, the Independent Authority for Public Revenue (IAPR) found “deviations at the time of the incident under review, in the implementation of COSMOTE’s Security Policy for the Safeguarding of Communications Privacy” and imposed a fine of EUR 3 million.
These were not the only fines in this case. A fine of EUR 6 million to COSMOTE and EUR 3.25 million to OTE was also imposed by the Personal Data Protection Authority.
They provided 756.700 routers with common passwords
316/2020 (pdf here)
Another case where the confidentiality of communications has been compromised is that of the hundreds of thousands of routers given to OTE providers, but… with common passwords. In May 2015, a private company filed a particularly significant complaint before ADAE. According to this complaint, the routers that were made available by OTE at that time to users, in addition to the passwords for their management, contained two other passwords common to all devices. These passwords were kept in “unencrypted form, enabling a third party with knowledge of them to “gain remote access to the device”.
These routers were made available to approximately 756,700 subscribers. OTE claimed that it carried out a technical check and that there was no “risk to the confidentiality of communications” and “no possibility of remote interference through these devices”. However, ADAE disputed OTE’s claims, according to decision 326/2020, as around 3,800 users had deactivated the security wall, i.e. the mini firewall, and had opened the WAN.
These users with the knowledge of the additional access account identified were in fact “vulnerable and therefore the confidentiality of their communications was at risk”. According to the 21/09/2015 on-site audit report of the ADAE team, “knowledge of the public IP address combined with the disabling of security mechanisms and knowledge of the password allowed remote access to these third-party routers using an additional access account”.
“…It follows from the above that the common passwords on the CPE terminals allowed remote access to a third party even if the third party did not know the personal management code of each CPE…”, the decision states.
ADAE summoned OTE for a hearing, and in 2015 and 2016 five on-site inspections were carried out on subscribers who had purchased the routers in question, as well as an audit at OTE. According to the audit report, OTE “did not implement the appropriate policies and individual procedures when making the ZTE H108N type CPE terminal device available to subscribers and did not inform ADAE or the affected by this security incident subscribers”. The company was eventually fined EUR 20,000 for breaches of the legislation and in particular for not informing subscribers of the security incident.
No records are kept of who logs into the system
51/2022 (pdf here)
In 2019, another complaint was submitted to ADAE by a mobile phone user for a possible violation of the confidentiality of communications. In order to investigate the incident, ADAE decided to conduct a management audit at COSMOTE’s premises. In May 2019, the audit team completed the management audit and delivered the report to ADAE. According to it, “the logs of access to communication data access to the VMS system, as well as the logs of the administrators’ actions in this system are not kept”, which violates a regulation of ADAE.
Cosmote admitted that this weakness has been recorded as a failure to comply with the regulation since 2013. In fact, the company stated in a letter in February 2020 that “the upgrade of the VMS, which took place in the last quarter of 2014, related to new hardware and software improvements and not to changes in the action logging subsystem, confirming the failure to comply with this regulatory obligation”.
ADAE found “inconsistency by the company regarding the maintenance of logs for this system in any case the failure to comply with the obligation to log in the VMS system constitutes a breach of the provisions”. In fact, the maintenance of logs of the access logs and actions for the system in question allows for control, both on the part of the company and the access authority, of the user communication data stored in the system in question, a control that cannot be carried out in this case”.
The company said that the new platform to be launched in 2021 will have a mechanism for recording and accessing actions in the communication system. However, in its decision, ADAE identified COSMOTE’s liability for the infringement of the violation of the regulation on ensuring the confidentiality of electronic communications according to the ADAE’s decision number 165/2011.
Complaint against Vodafone and Forthnet
However, a number of complaints have also been lodged against other telecommunications companies. In particular, in March 2018, a complaint was submitted to ADAE against VODAFONE. The complainants complained about “malfunctions in their telephone line”. In particular, they referred to an incident in which their incoming calls were forwarded to another telephone connection” and another incident “in which they heard other telephone conversations during their conversation”. ADAE instructed an audit team to investigate the incident. Eventually, in February 2020, ADAE imposed a fine of 40,000 euros for violation of the Communications Act.
In November 2018, a complaint was lodged with ADAE by an individual against FORTHNET. ADAE set up an audit team that carried out an on-site audit which was completed on February 19, 2019.
According to the report of the extraordinary audit, the incident occurred after the complainant reported harm in October 2018. One month later, the fault was repaired by “frequency hopping”. Or so the complainant thought. Shortly after, he found that an “Incorrect mapping of the phone number to a different phone number persisted for 11 days. During the period of the ” ‘faulty multiplexing”, as it was called, 37 calls were made, 12 of which went unanswered.
“That is, during the period in which there was the incorrect mapping of the complainant’s telephone number to another line, calls were made from and to his telephone number”, said the number 139/2021 decision of ADAE, which called the company for a hearing.
Flora’s case and criminal prosecution
George Floras’ complaint extended beyond ADAE. After a second conviction by ADAE, this time against VODAFONE for violation of the confidentiality of communications, Mr. Floras appealed to the judiciary. Specifically, in 2021 he filed a lawsuit against the legal representatives of the two companies. The lawsuits concerned the offense of breach of communications security. Subsequently, the Athens Prosecutor’s Office of First Instance brought criminal charges against their representatives, and they were subsequently brought to trial. One of them is set for December 2023 after continuous postponements. The case was also referred to the civil justice system. Mr. Floras filed two lawsuits against VODAFONE and COSMOTE. To date, a first-instance decision has been issued for one of them, which vindicates him, as he claims in a letter he sent to the prosecutor of the Supreme Court, Georgia Adilini in the summer. The second action has been postponed pending the decision of the Athens Administrative Court of Appeal to which the company has appealed.
One of the remarkable things about the mobile phone companies is that for decades ADAE did not make public the details of the companies it fined for breaches of communications privacy legislation, nor did it forward its decisions to the judiciary. In the summer of 2022, Mr. Floras discovered the practices followed by ADAE and filed three complaints with the Athens Prosecutor’s Office. With these, he informed the Athens Prosecutor’s Office of the First Instance of Athens about a series of decisions of the AADE against mobile telephone companies that have not been referred to justice. Two of the three complaints were related and the Prosecutor’s Office issued order No 960/2023.
It archived all cases concerning decisions of the Hellenic Public Prosecutor’s Office that had become time-barred. These were decisions where ADAE had identified infringements of the legislation on the part of the communication companies, but as far as the criminal part of the cases was concerned, five years had elapsed since the offense was committed, so they were time-barred.
In addition to the order to file the cases that had been filed, a total of about 15 cases were opened. For some of them, criminal charges have already been brought against representatives of COSMOTE and FORTHNET for the offense of breach of confidentiality of communications. One of them was due to be heard on Monday, September 11 at the Court of First Instance of Athens. However, the case was postponed at the request of the defendant’s counsel, who cited health reasons.
Acquittal of the defendant but without support of the charge
Earlier, in July 2023, another case was heard at the Athens Criminal Court. The defendant was acquitted on the grounds that he was not guilty of malice. However, the trial had a novelty. Neither the plaintiff, i.e., George Floras, nor the individual who had made the complaint to ADAE, nor ADAE that issued the decision, had attended as a witness in support of the accusation.
Previously, Mr. Floras had submitted a request to the public prosecutor to be called as a witness at the trial in order to be included in the case file and examined by the court. However, the court refused Floras’ request.
A few days later, Mr. Floras sent a letter to the Prosecutor of the Supreme Court, Georgia Adilini, published by Data Journalists, in which Mr. Floras informed in detail what he had found out about the mobile phone companies and the decisions of ADAE. Mr. Floras also informed about what had happened in the July trial and the risk that the companies’ representatives would be acquitted in the other trials that have been scheduled.
Letter to the Prosecutor of the Supreme Court (pdf here)
“If this practice continues in all other cases, the acquittal of the defendants is a given. And I will not argue by default that it is unfair to acquit them. But I will argue that for such a serious offense, based on the decision of an independent authority, the prosecution cannot leave the accused alone to stand trial without anyone in court to support the charge. Either the sufferer, or ADAE, or a complainant like me who obviously did not wake up one morning and say let me go and file a complaint with the prosecution,” Floras said among other things in his letter stressing that is at the disposal of the prosecution to provide any evidence.
The Prosecutor of the Supreme Court granted Flora’s request. A few days ago, according to Data Journalists, he received a subpoena to be examined as a witness in the trial of September 11, which was postponed. It appears that the trials are now taking a new turn.
Fines of 7.2 million euros, profits of billions of euros
Another issue that Mr. Floras raises in his letter has to do with the level of fines imposed by ADAE and the profits of mobile telephone companies. If you add up the fines imposed by the Independent Authority for breach of privacy of communications, you will find that they amount to several million euros. In particular, from 2017 to 2022, ADAE imposed fines totaling €7.2 million on mobile companies. These are hundreds of cases and complaints that were dealt with by ADAE. At the same time, the companies’ profits for the same period amount to tens of billions of euros and in particular to about 13 billion euros for OTE and VODAFONE alone.
“Considering that taking security measures for the absolute protection of the confidentiality of communications costs a lot of money, one can easily see that the fines imposed by the ADAE are not at all deterrent for telephone companies, since it may cost them less to not implement the security measures they need and pay very low fines,” Mr. Floras complains in his letter to the Prosecutor of the Supreme Court.
