Incident at Vodafone: Cyber gang Lapsus$ steals source codes
The criminal gang Lapsus$ managed to steal data such as software source codes from Vodafone. They have now appeared online.
(Image: Filmbildfabrik/Shutterstock.com)
The telecommunications company Vodafone has fallen victim to cybercriminals. The online criminal organization Lapsus$ has infiltrated IT systems and exfiltrated software source codes, among other things. After apparently unsuccessful extortion attempts, the data has now been leaked online.
The darknet website of Lapsus$ features a new post announcing the data theft from Vodafone. It is dated last Thursday and is said to include documents on "Full Infrastructure, Source Code, GitHub Tree & Internal Network Maps". According to the information there, the archive "VODA_FULL_DUMP.tar.xz" contains 180 GByte of data. The archive is also linked and can be downloaded from the darknet leak site of the Lapsus$ gang, among others.
Vodafone confirms data leak
In response to an inquiry from heise online, Vodafone confirms the involuntary data outflow. "Vodafone can confirm that in March 2026 a criminal organization gained unauthorized access to a very limited number of software source code files. The copied files were published on May 10th," the company explains. Vodafone's security experts recognized and contained the incident immediately in March 2026. The telecommunications provider emphasizes that no sensitive customer information was copied.
Furthermore, there was no access to internal systems. Consequently, there were no impairments to internal infrastructure, networks, or production systems.
Videos by heise
It remains unclear how the attack occurred and which systems were compromised. The amount of the ransom demand is also unknown. This is not the first IT incident involving Vodafone. In mid-2023, cybercriminals copied sensitive data from a sales partner. Last year, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) Louisa Specht-Riemenschneider imposed two fines on Vodafone amounting to 15 and 30 million euros respectively. This concerned, among other things, customer data that sales partners had unlawfully used for customer acquisition on behalf of Vodafone.
(dmk)
