Croatian phone company 'A1 Hrvatska' has announced a data breach that exposed the personal information of 10% of its users, or approximately 200,000 persons. A1 Hrvatska is a Croatian mobile network operator and a strategic partner of Vodafone. It is part of the Telekom Austria Group. A1 is the first and only operator in Croatia to offer the complete 5-play service, which comprises A1 TV, mobile and fixed telephony, and mobile and fixed Internet.
The notification doesn't go into much depth, other than to say that they had a cybersecurity incident involving unauthorized access to one of their user databases, which contained sensitive personal information. Full names, personal identity numbers, physical addresses, and phone numbers have all been accessed.
"Unfortunately, despite advanced protection measures and the constant raising of the level of security, a security incident occurred related to one of the user databases, which compromised part of the personal data of part A1 of users. We emphasize that information on bank cards and accounts is not compromised because it is not available in the specified database. We will directly inform all users whose personal data is potentially compromised," said the company.
A criminal complaint was also filed with the Zagreb Police Administration right away, and information experts assisted in identifying the culprits of the crime. In addition, the competent institutions HAKOM and AZOP, with which the company works closely, were notified.
A1 Hrvatska is a strategic partner of Vodafone, whose Portugal region was subjected to a very disruptive cyberattack, resulting in the suspension of 4G and 5G data services. Strategic partners occasionally share online infrastructure, but in this case, the link appears implausible, but it cannot be fully ruled out. Because the event does not appear to have impacted A1 Hrvatska's services or operations, it appears to be an instance of unauthorised database access, either through a misconfiguration or stolen credentials.
"A1 Croatia adheres to the highest security standards and data protection, and we will continue to make additional investments in improving the security environment. The recurrence of this security incident is not possible and has not had and will not affect the provision of services to customers," the company said.
