Telefónica confirms internal ticketing system breach after data leak

Spanish telecommunications company Telefónica confirms its internal ticketing system was breached after stolen data was leaked on a hacking forum.

Telefónica is a Spanish multinational telecommunications company operating in twelve countries with over 104,000 employees. The company is the largest telecommunications firm in Spain, operating under the name Movistar.

In an email to BleepingComputer today, Telefónica confirmed its ticketing system was breached and are investigating the incident.

"We have become aware of an unauthorized access to an internal ticketing system which we use at Telefónica," Telefónica told BleepingComputer

"We are currently investigating the extent of the incident and have taken the necessary steps to block any unauthorized access to the system."

This confirmation comes after a Telefónica Jira database was leaked on a hacking forum, with the breach claimed by four people using the aliases, DNA, Grep, Pryx, and Rey. 

One of the attackers, Pryx, told BleepingComputer that the "internal ticketing system" is an internal Jira development and ticketing server, used by the company to report and resolve internal issues.

BleepingComputer was told that the system was breached yesterday using compromised employee credentials, with Telefónica blocking their access today after performing password resets on impacted accounts.

Using the compromised employee accounts, the threat actors say they were able to scrape approximately 2.3 GB of documents, tickets, and various data. While some of this data was labeled as customers, BleepingComputer was told the tickets were opened with @telefonica.com email addresses, so may have been tickets opened on behalf of customers.

Pryx says they did not contact the company or attempt to extort them before leaking the data online.

Three people behind this attack, Grep, Pryx, and Rey, are also members of a recently launched ransomware operation known as Hellcat Ransomware.

Hellcat is responsible for a recent breach of Schneider Electric, where 40GB of data was stolen from the company's JIRA server.