The German arm of Vodafone has admitted that it has been the victim of a hacking attack that has resulted in the theft of personal data relating to two million of its subscribers. The operator said it had been subject to a “highly sophisticated and illegal intrusion” into one of its servers in Germany.

The hackers have gained access to the names, addresses, birth date, gender, bank sort code and bank account numbers of the customers affected. The operator said it suspects the criminal attack was executed by somebody working within Vodafone. An individual has been identified by the police and their assets have been seized.

The firm said it has contacted all individuals affected and is providing all support necessary to minimise the risk of identity theft. It stressed that the incident only affects those individuals who have been contacted by Vodafone Germany.

“We have instructed independent security experts to advise on the potential implications for the individuals affected so we can offer them advice and take the best action to help them,” the firm said in a statement. “In the absence of passwords, PINs or credit card details it is very unlikely that criminals would gain direct access to an individual’s bank account. However, there is a heightened risk that the criminals may request a fake direct debit application which would be immediately visible to the account holder and which could be immediately blocked or reversed under well-established banking protection measures.”

The operator also warned of a heightened risk that customers could be the victim of a ‘phishing’ attack if criminals use personal information in a fake email to trick people into supplying further information online such as passwords or credit card numbers.

“We recommend that customers remain vigilant when asked for their personal information from an unknown party, be wary of any emails, calls or texts which warn of account problems, and ensure they regularly check for unauthorised direct debits from their bank account,” the firm added. “We have also made arrangements for individuals to use an independent fraud protection service at no cost to them.”

“We are sending our sincere apologies to everyone affected for any disruption caused.”

David Harley, senior research fellow for security firm Eset, said that it is unlikely that enough data has been accessed for a direct attack on customers en masse, but warned that the customers involved may well be targeted by phishing attacks.

“In general, the weakness of generic phishing is that the attacker doesn’t have information specific to potential victims, so mails out emails addressed non-specifically to ‘Dear Valued Customer’ or something similar,” he said.

“If a victim reads an email with his actual name and minimal account details, even a phish-savvy customer may be more inclined to trust it. However, they can reduce the risk by being sceptical about all emails asking for sensitive information and revalidation of account information and assume that any links are likely to be malicious.”