Iran's second largest mobile operator, Irancell, lost the personal information of 20 million customers in a data leak last week - almost one-fourth of the country population - in the biggest known data breach in Iran's cyber-history . A few days later, Iran's cyber-police announced that they had arrested a 19 year-old computer student, accused of being responsible for disseminating the data.
The information was leaked via a bot named @MTNProBot on Telegram messaging app which is used extensively by Iranians. The bot was designed to receive a mobile number as an input and reveal associated personal information including full name, landline phone number, national code, city, address, and postal code. The bot was banned and removed in a few hours by the Ministry of Information and Communications Technology of Iran.
Irancell remained silent for a few days and published an unusual press release the day after Dr Mahmoud Vaezi, Minister of Information and Communications Technology of Iran, spoke in the Iranian Parliament about this case. According to Mehr news agency, Dr Vaezi said this case is not new and is related to a similar problem that happened previously . He added that one of the operators shared its customer's database with an organisation almost two and half years ago. Unfortunately, one employee of that organisation leaked the information and was arrested soon after. Now the same information has been leaked again through a bot on Telegram.
On 4 July, Irancell published a statement saying: “Respecting privacy of our subscribers and confidentiality is a cornerstone principle valued highly here in MTN Irancell. We have never disclosed our subscribers' information, whatever the circumstances be. Unlike some operators, we have even refrained from making available such information to the advertisement companies, overlooking remarkable profits gained otherwise.”
“Thanks to the latest information security standards in place in MTN Irancell, no information system nor any information belonging to MTN Irancell subscribers has been disclosed, stolen, hacked, nor attacked by outsiders.”
Irancell's statement is very much at odds with Dr Vaezi's answer. First, it is unrealistic to assume Dr. Vaezi provided false information to the selected members of Parliament, but one question remained unanswered is why disclosure to another organisation happened at the first place.
Secondly, if Irancell's claim regarding never disclosing customers' data or being hacked is correct as stated in the press release, how did the 20 million customers' information get into the hands of illegitimate actors with malicious intentions? The published statement does not include any apology and sympathy with the subscribers.
Even though the leaked information is, to some extent, outdated, a considerable chunk is still relevant and valid which could be used to target customers of this operator. Lack of transparency among the parties involved means that this window of opportunity remains open for fraudsters.