On 29 June 2026, a threat actor identified as PescobarLegado published on a specialised dark web forum a 1GB data package for sale at $400. The lot does not come from Vodafone's central systems but from Be Call BPO, the outsourced company that manages the group's telephone acquisition services for the Vodafone and Lowi brands. Vodafone confirmed to specialist media it is investigating the matter. What makes this incident especially serious is not just the volume of exposed records, nearly one million according to the tracking sheet published by the attacker, but the nature of the information: internal documentation, operational workflows and access instructions to the critical tools call centre agents use daily to configure rate plans, finance devices and contract services on behalf of the operator. The incident comes just days after two other breaches in the Spanish telecommunications sector: the Lemmon MVNO breach and the publication of over 50,000 Netllar records.

What do we know about the Vodafone and Lowi leak via Be Call BPO?

Facts documented by Roams and BandaAncha:

  • Source: Be Call BPO, the Business Process Outsourcing company operating as a direct Vodafone collaborator for telesales acquisition of new Vodafone and Lowi customers.
  • Volume: nearly one million records, specifically 956,874 according to the tracking sheet included in the attacker's listing.
  • Sale price: $400 for the complete 1GB package, a low price suggesting the attacker prioritises a quick sale over profit maximisation.
  • Authenticity proof published: 13 PDF files detailing the front-office and back-office tool ecosystem used by Be Call BPO agents. Documented systems include Smart and RetailX, the platforms used to configure commercial packages and issue work orders to Vodafone's central systems.
  • Exposed tools and panels: the Lowi Televenta BackOffice panel, the Offer Configurator integrated with RetailX for packaging consumer and micro-business rates, the Device Purchases module for handset financing, and the Vodafone TV and DAZN contracting sections.
  • The most critical element: the attacker claims to have access instructions for the OneWay client application, remote desktop configurations and so-called OCM codes, which internally identify campaigns and sales channels. Unless Vodafone invalidates those credentials, the buyer of the package could retain real operational access to the systems.
  • Customer personal data: none of the published samples contain customer personal data, though the full database being sold could include it according to the listing itself.
  • Data age: the attacker's listing mentions May 2026 dates, indicating recent information.
  • Vodafone's response: the operator confirmed to specialist media it is investigating the matter, without offering further public detail at the time of this article.

Why third-party risk is the recurring pattern in the Spanish telecommunications sector

This is not the first time Vodafone's collaborator chain has been compromised. In November 2023, unauthorised access to a distributor exposed customers' personal and banking data, including DNI, phone number, email, contracted line number and, except for prepaid customers, bank account number. Following that incident, INCIBE and the Guardia Civil issued alerts targeted at affected individuals. The pattern repeats almost identically: in both cases, the origin is not Vodafone's central systems but those of a third party with privileged access to its tools. Four factors explain why this pattern is so persistent in the sector:

  1. Commercial outsourcing multiplies entry points. When an operator outsources telephone acquisition to an external BPO, that provider needs real operational access to rate configuration, financing and contracting tools. Each external collaborator with that level of access is an additional attack surface the operator does not directly control.
  2. Internal documentation is more valuable long-term than customer data. A customer database has immediate but declining exploitation value over time. Operational documentation, workflows and system access instructions have persistent value: they enable far more precise and credible social engineering attacks, because the attacker knows exactly how the company's real contracting process works.
  3. Credentials may remain active after the leak. Unlike a stolen customer database, which is static, access credentials to operational systems represent an ongoing risk until explicitly revoked. The package buyer could have functional access to Vodafone's tools until the operator identifies and neutralises each exposed credential.
  4. The pattern repeats across the entire Spanish telecommunications sector. In recent weeks, besides this incident, breaches have been made public at the MVNO Lemmon (24,000 records with ICCID and PUK) and Netllar (over 50,000 records). The common denominator is dependence on third parties and providers in telco operational chains.

How this type of leak translates into real risk for customers and businesses

The absence of customer personal data in published samples does not mean the risk is low. The leaked internal documentation enables several subsequent attack vectors:

  • Highly credible fake sales calls. An attacker with real knowledge of how Vodafone and Lowi's internal contracting works can pose as a legitimate sales agent with a level of credibility far superior to generic fraud.
  • Impersonation attempts against technical support itself. Knowing internal operational workflows and campaign codes allows an attacker to attempt to pose as a legitimate Be Call BPO agent before other systems or chain interlocutors.
  • Persistent operational access if credentials are not revoked. If Vodafone does not identify and neutralise all exposed credentials, there is a risk that third parties retain functional access to commercial configuration tools.
  • Preparation of targeted attacks against the sales network. Internal documentation can be used to prepare phishing or social engineering campaigns specifically targeting other agents in Vodafone and Lowi's sales network, leveraging detailed knowledge of internal processes.

Key lessons for businesses outsourcing commercial or customer service processes

  • Outsourcing commercial processes cannot mean outsourcing security control too. When an external provider has operational access to product configuration, contracting or financing tools, the responsibility for auditing the security of that access remains with the principal company, not just the provider.
  • Third-party credentials must have defined rotation and revocation cycles. A BPO provider should not maintain indefinite access credentials to critical systems. Establishing periodic rotation policies and immediate revocation protocols upon any suspicion of compromise reduces the exposure window.
  • Internal operational documentation deserves the same protection as customer data. Many organisations concentrate their security efforts on protecting customer databases and neglect protecting operational manuals, workflows and system access instructions, which in the wrong hands are equally or more dangerous.
  • Audit third-party access with the same rigour as internal access. Any external provider with access to commercial configuration, financing or contracting systems should be subject to the same MFA, monitoring and periodic permission review policies as internal employees.
  • Prepare customer service teams for the risk of informed impersonation. When internal documentation leaks, subsequent social engineering attacks are harder to detect because the attacker knows the company's real language and processes. Training teams to verify identity beyond apparent operational knowledge is a necessary mitigation measure.

Cybersecurity as a strategic priority

The Vodafone and Be Call BPO incident is the third telecommunications sector leak documented in Spain within just a few weeks, following Lemmon and Netllar. The common pattern is not technical, it is structural: operators' supply chains include multiple external providers with real operational access to critical systems, and that access rarely receives the same level of scrutiny as internal systems. For Spanish businesses outsourcing commercial or customer service processes, today's question is direct: do you know exactly what credentials and access level your external providers hold to your critical systems, and do you have a defined protocol to revoke them immediately if compromise is suspected?

Apolo Cybersecurity: third-party risk management and provider auditing for critical system access

At Apolo Cybersecurity we help organisations manage third-party risk in their operational chain: auditing access granted to BPO providers and external collaborators, designing third-party credential rotation and revocation policies, reviewing the security of internal operational documentation, implementing MFA and monitoring for external provider access, and training customer service teams against informed impersonation attempts.

If your company outsources commercial or customer service processes and you do not have a clear inventory of what credentials and access your external providers hold to your critical systems, now is the time to review it.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!