Bharti Airtel Limited (aka Airtel), one of the major mobile carriers in India, has confirmed a data breach that could have exposed personal data of over 325 million of its subscribers.
The telecom company fixed the security flaw associated with its mobile application after it was notified by the BBC.
Ehraz Ahmed, a Bengaluru-based independent cyber-security researcher, who first found the vulnerability in one of Airtel’s Application Programming Interface (API), said in his blog that it took him 15 minutes to find the flaw.
According to him, the vulnerability could have been exploited by hackers to fetch sensitive user information of any Airtel subscriber just by using their mobile number.
“It revealed information like First and Last Name, Gender, Email, Date of Birth, Address, Subscription Information, Device Capability information for 4G, 3G & GPRS, Network Information, Activation Date, User Type [Prepaid/Postpaid] And Current IMEI number,” Ahmed wrote in his blog.
“By using the IMEI number, one could find the information of the user’s mobile device,” he said.
International Mobile Equipment Identity (IMEI) number is a unique numerical identifier for every mobile device.
“Every user that is on India’s Airtel network was at risk of getting his information leaked through this vulnerability, and risking over 325.5 million subscribers in India,” Ahmed wrote.
He also created a proof of concept video (see below) and published a case study to validate his claim.
When contacted, an Airtel spokesperson said that the flaw was fixed as soon as they were notified.
“There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice. Airtel’s digital platforms are highly secure. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms,” an Airtel spokesperson confirmed to the BBC.
Currently, Airtel has the third-largest subscriber base in India after Vodafone-Idea and Reliance-Jio.