Telekom Serbia, the country's dominant state-owned telecommunications provider, has confirmed a data breach affecting approximately 700,000 customers; roughly 10% of Serbia's total population. The company's CEO Vladimir Lučić publicly acknowledged the incident and stated that the attacker, believed to be located east of Serbia, has been identified using AI-assisted tracking methods. The attacker demanded 3 Bitcoin (approximately €180,000) as ransom. The breach was accessed through a vulnerability in a secondary application connected to core systems, not through the core infrastructure itself.

What Happened

Telekom Serbia CEO Vladimir Lučić disclosed the breach publicly, confirming that an external attacker gained unauthorized access to customer data affecting 700,000 individuals. Lučić stated the company has identified the hacker, described as located "east of Serbia", and claims to possess the attacker's location data and mobile phone number, reportedly obtained through AI-assisted investigative methods.

The attacker exploited a vulnerability in what Lučić described as "secondary applications"; peripheral systems connected to core infrastructure rather than the core network itself. This entry point allowed access to customer records without directly penetrating the most hardened layers of Telekom Serbia's systems. Following the exfiltration, the attacker issued a ransom demand of 3 Bitcoin, valued at approximately €180,000 at the time of the incident.

Telekom Serbia has not confirmed whether it paid the ransom. Lučić's public framing, comparing the demand amount to routine corruption in the Balkans, suggests the company views the financial exposure as manageable, though the implications of 700,000 exposed records extend far beyond the ransom figure. Serbian authorities have been notified and an investigation is underway.

What Was Taken

Confirmed compromised data categories include:

Account credentials, payment card data, and financial records have not been confirmed as part of the breach. However, the combination of national ID numbers, full names, addresses, and phone numbers constitutes a complete identity profile sufficient for: identity theft, SIM swapping attacks, targeted phishing and vishing campaigns, fraudulent account openings, and impersonation in government service contexts.

Why It Matters

700,000 records represents roughly 10% of Serbia's entire population. This is not a breach of a niche platform; it is a breach of national telecommunications infrastructure that has exposed a statistically significant fraction of the country's citizens. The downstream fraud risk is population-scale.

National identification numbers are the most durable and dangerous data element in this breach. Unlike passwords that can be changed or card numbers that can be cancelled, Serbian national ID numbers are permanent identifiers. Paired with a name, address, and phone number, they enable a complete suite of identity fraud that will remain exploitable for years.

The "secondary application" entry point is a systemic architecture warning. Lučić's description of the breach entering through peripheral applications connected to core systems is a pattern seen repeatedly in major telecom breaches. The core network is heavily defended; the CRM system, billing portal, customer self-service application, or third-party integration layer is not. Attackers have learned to target the periphery because it is where the data lives and the defenses are weakest.

The CEO's AI-tracking claim requires scrutiny. Lučić's assertion that Telekom Serbia used AI to identify and locate the attacker, including their mobile number, is either a genuine capability demonstration, a deterrence signal to discourage further action, or an overstatement of investigative progress. Regardless of its accuracy, it signals that Balkan telecommunications operators are investing in offensive-adjacent threat actor identification capabilities, which has geopolitical implications given the region's complex security landscape.

The €180,000 demand is low for a 700,000-record breach. This either indicates the attacker underestimated the data's value, was testing the waters, or prioritized speed over maximum extraction. It is also consistent with a less sophisticated actor, potentially an opportunistic individual rather than a structured RaaS operation, which aligns with the "east of Serbia" characterization and the relatively modest Bitcoin demand.

The Attack Technique

Initial access: exploitation of a vulnerability in a secondary application connected to core systems.

The specific application category, CVE, or technical vector has not been disclosed. "Secondary applications" in telecom environments typically refers to CRM platforms, billing systems, customer self-service portals, third-party integrations, or network management tools that have read or query access to customer databases but are architecturally separated from core network infrastructure.

Common attack vectors against this application tier include: SQL injection against web-facing customer portals, exploitation of unpatched third-party software in the application stack, credential stuffing against administrative interfaces, and API abuse through poorly authenticated integration endpoints.

The attacker's apparent ability to extract 700,000 complete customer records suggests bulk database query access; either through direct database access obtained after initial compromise, or through an API or export function with insufficient access controls.

What Organizations Should Do

  1. Map and harden every secondary application with access to customer PII. The CRM, billing system, customer self-service portal, and every third-party integration that can query customer records must be treated as primary attack surface; not secondary. Conduct a full audit of which applications can access customer databases, with what credentials, and whether those access paths are monitored. This is where your breach will come from.

  2. Enforce strict API rate limiting and bulk query detection on customer databases. Exfiltration of 700,000 records implies either a single bulk export or a high-volume query session. Both should trigger immediate alerts. Implement database activity monitoring with anomaly detection tuned to flag query volumes that exceed normal operational patterns by any user or service account; including internal application service accounts.

  3. Treat national ID numbers and equivalent permanent identifiers as the highest sensitivity data class. Data security tiering should place permanent government identifiers (national IDs, social insurance numbers, passport numbers) in the most restrictive access control category. Mask or tokenize these fields in non-production environments, limit which applications can retrieve full values, and log every access.

  4. Conduct SIM swap fraud monitoring for affected customers immediately. The phone numbers exposed in this breach, combined with national IDs and names, create a ready-made SIM swap attack package. Telekom Serbia, as both the breached party and the network operator, is uniquely positioned to monitor for and block SIM swap requests involving the 700,000 affected customers. Implement enhanced verification requirements for these accounts.

  5. Do not rely on attacker identification as a substitute for containment and notification. Lučić's claim of having identified the attacker may be accurate, but it does not reduce the harm to 700,000 individuals whose national ID numbers are now in circulation. Affected customers need proactive notification, guidance on identity theft monitoring, and, where national systems permit, the ability to flag their IDs for fraud alerts. Catching the attacker and protecting victims are parallel tracks, not sequential ones.

  6. Engage national CERT and law enforcement with full technical IOCs within 24 hours of breach confirmation. Regional attribution ("east of Serbia") suggests potential cross-border criminal or state-adjacent activity. CERT-RS and Serbian interior ministry cybercrime units should receive complete indicators of compromise to enable both prosecution and defensive intelligence sharing with neighboring telecom operators who face the same threat actor and attack surface.

Sources