A1 Hrvatska data breach
Croatian mobile carrier A1 Hrvatska disclosed unauthorized access to a customer database exposing the names, personal identification numbers, addresses and phone numbers of roughly 200,000 subscribers — about 10% of its customer base.
- Victim
- A1 Hrvatska
- records
- 200.0K
- users
- 200.0K
In February 2022, the Croatian mobile operator A1 Hrvatska — a member of the A1 Telekom Austria Group — disclosed that an attacker had gained unauthorized access to one of its customer databases, exposing the personal data of approximately 200,000 subscribers, around 10% of its customer base.
What happened
A1 Hrvatska said it detected the unauthorized access to a single user database and "immediately and without delay prevented further unauthorized access" once the intrusion was discovered. A computer-forensics team analyzed system logs to determine the scope of the compromise. The company did not publicly confirm the exact intrusion vector; reporting noted that a misconfiguration or stolen credentials were among the plausible causes, but no definitive method was disclosed.
The accessed database contained:
- Full names
- Personal identification numbers (Croatia's OIB)
- Physical addresses
- Telephone numbers
A1 Hrvatska emphasized that bank-card details and online-account credentials were not compromised, as the affected database did not store that information.
Response
The company directly notified the affected customers, filed a criminal complaint with the Zagreb police, and said it had implemented additional security measures and would continue investing in its security infrastructure. Croatia's data protection authority, AZOP, confirmed it had been informed of the breach and was reviewing the incident under the GDPR's mandatory breach-notification regime.
Why it matters
The A1 Hrvatska breach was one of the largest disclosed personal-data incidents in Croatia, exposing a combination — name, national ID number (OIB), and address — that is highly useful for identity theft and targeted fraud. The OIB in particular is a persistent identifier used across Croatian public and financial services, making its exposure more damaging than a leaked password that can simply be reset.
The case underscored the obligations telecom operators carry under the GDPR as custodians of large volumes of citizen data: rapid detection, prompt notification of both regulators and affected individuals, and transparency about what was and was not exposed. It remains a reference point in Croatian discussions about how carriers secure subscriber databases and respond when those defenses fail.
Timeline
A1 Hrvatska detects unauthorized access to one of its customer databases and moves to block further access.
A1 Hrvatska publicly discloses the breach affecting roughly 200,000 customers, about 10% of its base.
A1 Hrvatska files a criminal complaint with Zagreb police and begins directly notifying affected customers.
Croatia's data protection authority (AZOP) confirms it was notified and is examining the incident.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/croatian-phone-carrier-data-breach-impacts-200-000-clients/
- securityaffairs.comhttps://securityaffairs.com/127919/data-breach/a1-hrvatska-data-breach.html
- telecompaper.comhttps://www.telecompaper.com/news/a1-hrvatska-suffers-data-breach-after-hacker-attack--1413691
- databreaches.nethttps://databreaches.net/2022/02/12/croatian-phone-carrier-a1-hrvatska-discloses-data-breach/