Telefónica Data-Security Incident – Corrected Advisory Report

(Updated 7 July 2025)

Executive Summary

A series of intrusions against Telefónica unfolded over the first half of 2025.

• 9 – 13 Jan 2025 – An internal Jira ticketing server was breached and 2.3 GB of data were leaked by a group of four attackers linked to the emerging Hellcat ransomware collective. Telefónica confirmed this incident and began password resets and containment.   

• 3 Jun 2025 – Reuters reported that Telefónica was investigating a potential cyberattack after a threat actor calling itself “Dedale” released a sample of one million customer records from the company’s former Peruvian business. 

• 30 May 2025 – In a second compromise (revealed later), the hacker “Rey” claimed 12 hours of unrestricted access to another Jira server, exfiltrating 106 GB of data.

• 4 Jul 2025 – Rey published a 5 GB teaser archive and threatened to leak the full dataset unless Telefónica engaged, while the company continued to withhold public confirmation of the breach.   

Taken together, these events show a coordinated campaign that exploited misconfigured Jira services and credential theft. The exposed material includes customer databases, internal communications, network diagrams and other sensitive documents, creating significant regulatory, operational and reputational risk for the telecoms sector.

Technical Information

Initial access

Both January and May intrusions point to publicly exposed or poorly isolated Jira servers. The attackers exploited misconfiguration (MITRE ATT&CK technique T1190 – Exploit Public-Facing Application) to obtain footholds, then leveraged stolen or brute-forced credentials to escalate privileges.   

Lateral movement and privilege escalation

Once inside, the threat actors traversed internal networks, harvesting credentials and pulling ticket attachments, source-code snippets and email archives. The breadth of stolen material implies the use of privilege escalation through valid accounts combined with additional vulnerability exploitation across internal applications.

Exfiltration

Reconstructions of the May incident indicate sustained transfers over covert channels consistent with T1041 – Exfiltration over Command-and-Control. Rey states that 106 GB were siphoned in roughly 12 hours before access was revoked. BleepingComputer’s review of the 5 GB teaser confirms invoices, employee addresses and operational logs across multiple countries. 

No known commodity malware has been tied to the case; tooling appears custom or script-based, a hallmark of Hellcat operations. Absent forensic artifacts from Telefónica, confidence in the exact exploit chain remains moderate.

Timeline

Impacted assets include externally facing Jira servers (version information undisclosed) and connected internal databases containing customer, employee and infrastructure records.

Threat Activity

Hellcat affiliates focus on Jira misconfiguration, combining credential theft and rapid data harvesting. The January breach demonstrated opportunistic leaking with no extortion attempt, whereas the May-July phase shows a shift to public blackmail via staged data releases. The stolen material’s depth suggests motivations that extend beyond one-off financial gain – possibly competitive intelligence or reputational damage. 

Mitigation & Workarounds

1. Harden public-facing applications – Restrict Jira exposure with VPN or zero-trust access, disable legacy authentication methods and verify permission scopes.

2. Patch management – Apply vendor updates promptly, especially to collaboration and ticketing platforms.

3. Credential hygiene – Enforce strong, unique passwords, rotate credentials after any info-stealer infection and deploy enterprise-wide multi-factor authentication.

4. Network segmentation – Separate development, ticketing and production zones; apply strict egress controls to limit bulk data movement.

5. Continuous monitoring – Deploy SIEM rules for anomalous Jira access patterns, high-volume downloads and off-hours data transfers.

6. Incident response readiness – Update playbooks to include staged leak extortion scenarios and rehearse communications under regulatory timelines.

References

1. Reuters – “Telefónica investigates potential cyberattack after release of data from Peru.” 3 Jun 2025. 

2. CyberSecurityNews – “Telefónica Hacked: Attackers Allegedly Steal 2.3 GB of Internal Data.” 13 Jan 2025. 

3. SentryBay – “Sensitive Data Leak on Hacking Forum Is from Telefónica System Breach.” 13 Jan 2025. 

4. BleepingComputer – “Hacker leaks Telefónica data allegedly stolen in a new breach.” 4 Jul 2025. 

5. Undercode News – “Telefónica Hit Again? Hacker Claims 106 GB Data Breach as Company Stays Silent.” 4 Jul 2025. 

About Rescana

Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform that helps organizations monitor vendor security, assess vulnerabilities and automate remediation workflows. Our analysts combine open-source intelligence with deep technical expertise to deliver actionable guidance, as demonstrated in this advisory. Contact us at ops@rescana.com for further information.