Massive Breach of Personal Data Raises Controversy in Iran
(Picture: Iran's Minister of Communication and Information Mahmoud Vaezi after a cabinet session. Source: Hassan Mousavi/Fars)
On Saturday, Iranian media reported of a major security breach in Irancell, one of Iran's second most popular mobile phone operators. News had it that personal data of 20 million Irancell subscribers had been stolen and made accessible to public through a robot on the popular messenger app Telegram.
Soon it was revealed that the security compromise had actually taken place months earlier. According to Zoomit, an Iranian tech website, the data had been stolen two years earlier and put for sale by hackers, yet it had recently become accessible for free. Iran's cyberspace police, FATA, had frequently warned websites to remove the data, Zoomit reported. The data had been delivered through Windows, Android, and even Microsoft Access platforms. However, it turned into a major controversy only in the beginning of the Iranian week on Saturday, when it was revealed that "mtnprobot" running in Telegram allows free access to Irancell user data.
The robot was reported and blocked in a couple of hours according to Mohammad-Reza Farnaghizad, head of the public relations office in the Ministry of Communication and Information Technology. Farnaghizad tried to underestimate the gravity of the situation in his interview with Fars, assuring that those behind the hacking attempt would be pursued by FATA and other responsible organizations (later on Sunday evening, media reported that the main culprit had been arrested).
Tabnak, affiliated with former IRGC commander Mohsen Rezaei, strongly slammed Irancell for its unaccountability. The website questioned why the operator had kept silent during years since the initial security breach, adding that the Access file which included 40 million records of users' personal data, including their postal address and national ID number, was sold for a price of 1 million Tomans (slightly above the current official minimum wage). Tabnak called the remarks by Ministry's PR head Farnaghizad "a joke", expressing sorrow that data security is underrated. "Had this happened anywhere else around the world, it would turn into the top headline of news agencies and mainstream media, and officials would be questions and tried" the website said.
Telecom minister Mahmoud Vaezi placed the blame on an unknown "security organization" with access to the database, claiming that the data were sold by a member of the organization two and a half years ago. The organization persecuted the member immediately, Vaezi, who had attended a parliamentary session, said on Sunday.
Hamrah-e Avval, Irancell's rival, was quick to take advantage of the situation, sending messages to its subscribers to assure them that the security breach has not targeted its databases. "Safeguarding personal data of our users has been a key vision of Hamrah-e Avval during its 22 years of service and its continues to be so in all earnestness. We assure you that exposure of personal data and privacy breach of twenty million users is not related to subscribers of this operator" the message read, ending with a sarcastic punchline "Hamrah-e Avval, your trusted companion."
This is not the first time security loopholes in Iranian telecom infrastructure has created problems. Several governmental websites, including those of critical offices such as the Oil Ministry and Statistical Center of Iran have suffered attacks by hackers, both domestic and foreign. In the meantime, there are serious concerns that operators may also have exercised extensive access to user's mobile content through SIM toolkits.
Irancell has so far refused to provide any explanation about the data breach, postponing response until further consultation with cyberspace police, FATA. The latest update on the operator's Twitter account goes back to June 30, a retweet on introduction of Android Nougat. For the moment, however, its subscribers may not care that Android's latest version has taken its nickname from a sweet confection quite popular in Iran.