Cyber Security Factsheet

Vodafone Group Plc Cyber Security Factsheet 2023

Introduction

Strategy

Governance

Risk management

Events

Cyber incidents As a global connectivity provider, we are subject to a range of cyber threats. We use our layers of controls to identify, block and mitigate threats and reduce any business or customer impact. Where a security incident occurs, we have a consistent incident management framework and an experienced team to manage our response. The focus of our incident responders is always fast risk mitigation and customer security. In the event of a cyber breach, disclosure is made in line with local regulations and laws, and based on a risk assessment considering customers, law enforcement and relevant authorities. The European Union’s GDPR provides a framework for notifying customers in the event there is a loss of customer data because of a data breach, and this framework is a baseline across all our markets. Vodafone holds cyber liability and professional indemnity insurance policies. These policies may cover the costs of an information security breach, in whole or in part. Vodafone classifies security incidents on a scale (S0-S4) according to severity, measured by business and customer impact. We attribute root causes to incidents and use the information to improve our control effectiveness. The highest severity category (S0) corresponds to a significant data breach or loss of service caused by the incident. There have been no cyber incidents classified at this level in the past financial year, however there were two such incidents in the previous two years – Vodafone Portugal in February 2022 and Ho. Mobile in December 2020. A summary of these incidents and our response is included separately on this page. Even with an increased threat landscape, we have seen a gradual decline in the numbers of more severe incidents. We also track incidents at our suppliers and third parties. The frequency of such incidents is increasing. We contractually require our suppliers to report incidents and we manage these incidents as if they were internal. As an example, one such supplier incident was reported to the Luxembourg regulator in September 2021 due to its potential scope to impact the entire telecommunications industry. The supplier in question manages the netting of roaming charges between operators. There was a minor direct impact on Vodafone based on the investigation carried out by Vodafone and the supplier. Click to read more about how we manage risks from technology disruptions in our SASB disclosure: investors.vodafone.com/sasb

Previous cyber incidents

Vodafone Portugal (February 2022) In February 2022, Vodafone Portugal experienced a network outage caused by a deliberate cyber attack that was intended to cause disruption. No malware or malicious software was installed, and the attack method would be described as a ‘living off the land’ attack because it did not use any specialist tools. The attack relied on sophisticated social engineering, and a deep understanding of IT systems and networks. Investigations revealed that no customer data was accessed or compromised. No other Vodafone markets experienced any disruption from this incident. The outage affected the data network in Portugal. The impact was loss of some voice and data services, some TV services and enterprise and business applications across the country, as well as international connections. Home broadband and linear TV were unaffected by the attack. On detecting the incident, we utilised our global incident management framework and immediately took action to identify, contain further risk and restore services quickly. Mobile data services and interconnections with other operators were resumed within eight hours of the attack, with other services being recovered during the next 48 hours. The Vodafone Portugal CEO immediately and proactively communicated with customers, and the team used widespread online, social media and press information and articles to keep customers aware of our recovery progress. Our cyber security team worked with local law enforcement and security agencies during the investigation. During the incident, 4.7 million mobile and one million fixed line customers were impacted, with some customers having both services. While the network outage was significant, it was only classified as a severe network incident for 48 hours. The direct costs of the incident were estimated in the range of €5 million and were financially immaterial in the context of Vodafone Portugal’s operations and the wider Vodafone Group.

Ho. Mobile (December 2020) In December 2020, ho. Mobile, a second brand in Italy, suffered a data breach and part of a database holding customer data was accessed by a third-party; no financial information, passwords, or mobile traffic data relating to calls, texts or web activity was involved. We utilised our existing global incident management framework. Ho. Mobile took a proactive approach and immediately informed affected customers and regulators, enhanced security protections, remotely reissued SIM serial numbers to prevent any misuse, and offered free replacement SIMs to the entire customer base of 2.5 million. The data breach did not result in any disruption to our connectivity services and the remediation costs were not material to the Group. Ho. Mobile also notified local law enforcement and made the required disclosures to the Italian Data Protection Authority. At the time of the incident, Ho. Mobile used distinct and separate IT systems to Vodafone Italy and the rest of the Vodafone Group. It has since been integrated into Vodafone Italy infrastructure and processes.