Thousands of phone users wrongly charged up to €520,000 for premium services after spoofing attack

Some 9,500 customers were each charged €10 - which has since been refunded - until they unsubscribed

Overcharged customers complained to ComReg. Photograph: stock image
Overcharged customers complained to ComReg. Photograph: stock image

More than 9,000 phone users were in total wrongly charged up to €520,000 for premium rate services following a “spoofing” malware attack, a court has heard.

Premium service aggregator Kaleyra UK Ltd pleaded guilty at Dublin District Court on Monday to 22 offences under the Communications Regulation (Premium Rate Services and Electronic Communications Infrastructure) Act, 2010.

It follows an investigation by the Commission for Communications Regulation (ComReg). It received customer complaints and was also alerted by Three Ireland, which noticed a pattern that led to a 40,000 increase in premiums rates among its customers with similar numbers from August 2021 until January 2022.

Three Ireland rejected 30,000 of them, but some 9,500 customers were each charged €10 a week until they unsubscribed.

READ SOME MORE

Kaleyra admitted that it had not contacted ComReg and did not have an adequate refund mechanism or security to prevent the malware attack which led to the massive spike in faked subscriptions.

Judge Anthony Halpin accepted Kaleyra had been a victim of a security attack, but he remarked that “it ought to have communicated with ComReg a lot earlier when they came across this suspicious activity; they did drag their heels somewhat but not to the extent that people suffered further.”

He noted that as a result, Kaleyra pulled out of the Irish market but had refunded the 9,500 wrongly charged for premium rate services they did not seek.

Kaleray, which entered the Irish market 10 years ago, had no prior convictions and agreed to pay €10,000 toward ComReg’s costs.

Judge Halpin noted the firm’s genuine remorse and said he would apply the Probation of Offenders Act, sparing it a recorded conviction, if it donated €5,000 to charity by March 13.

Kaleyra acted as an aggregator for content creators and handled payments from phone networks which billed the customers.

ComReg compliance operations manager Miriam Kilraine said the premium rate content was typically games, competitions, fitness and diet plans, or adult content.

Subscription involved a “double lock” system, a user responding to an online ad and inputting their phone number. They then received a text message requiring an opt-in response.

One account wrongly opted in belonged to a SIM card used in security gates. She agreed with Remy Farrell SC, for ComReg, that Kaleyra received fake confirmation messages opting in customers.

It peaked in December 2022 and was known in the telecom industry as “spoofing”. In this case, an unnamed “bad actor” got access to Kaleyra’s services.

She said it was the first time it had happened in Ireland, but Kaleyra had inadequate internal monitoring procedures to protect customers. She added that it should have noticed the exponential increase in traffic, which demonstrated an unusual pattern of activity, and that the affected customers’ numbers were very close in numerical sequence in one month.

It would have been “extremely coincidental”, she said.

Defence counsel Niall Buckley said it led Kaleyra to raise queries with content providers; there was no evidence of increased marketing activity at the time, and it was clear that the increase was artificial.

He said it was a strict liability offence, and an early guilty plea was entered at the first available opportunity.

Judge Halpin noted a malware incident caused the problem, which had a widespread effect, but Kaleyra had not profited, and had withdrawn from Ireland.

Two senior Kaleyra executives were present for the hearing, and counsel expressed regret on behalf of the firm.

Judge Halpin ordered the charitable donation to the Little Flower Penny Dinner Charity, which helps underprivileged people in Dublin.