Vodafone Iceland, the Icelandic affiliate of the Vodafone Group, was breached on November 30, 2013 by the Turkish hacktivist collective Maxn3y, also operating under the handle Agent. The attackers defaced the company's website and posted a 61.7-megabyte archive containing SQL dumps of customer database tables. The archive included user accounts, SMS history files, multimedia tracking logs, and account-manager records. Vodafone Iceland initially denied that confidential data had been exposed and retracted the denial within twenty-four hours after public review of the dump confirmed otherwise.\n\nThe published dataset covered approximately 56,000 unique email addresses, with related accounts spanning a larger total of around 77,000 records. Compromised fields included usernames, email addresses, names, physical addresses, phone numbers, IP addresses, encrypted passwords, government identifiers (Iceland's kennitala national ID number), credit card data, purchase records, and SMS message content. The SMS dump dated to 2011 and included correspondence among Icelandic politicians, some of it politically sensitive, which drew local media attention beyond standard breach coverage.\n\nFor affected individuals, the practical risk profile is distinct because of the inclusion of message content alongside identity and financial fields. The kennitala is a stable government identifier used widely in Iceland for identity verification, banking, and tax purposes, and combined with name, address, and date of birth it supports identity-verification bypass long after the original disclosure. Credit card data exposed in the original dump is no longer current, but historical SMS message content involving named individuals creates lasting reputational risk. Anyone who held a Vodafone Iceland account during the affected period should treat their kennitala and historical contact data as exposed, monitor for unusual financial activity, and remain alert to any unsolicited contact referencing past Vodafone services.

Mobile network operators collect customer identity, phone numbers, addresses, billing data, device and SIM information, and service records across telecom operations.

Vodafone Iceland continued to operate following the 2013 incident and has not been publicly tied to a further large-scale breach disclosure. The Vodafone Group has continued to face periodic data-protection scrutiny across its international operations, but no incident at the Iceland affiliate has matched the 2013 attack in scale or sensitivity. The 2013 dataset has periodically resurfaced on data-trading forums in the years since, often re-shared as part of broader compilations of legacy telecom breaches. Iceland's national data-protection authority, Persónuvernd, has continued to operate under updated EU-aligned data-protection law since the original incident.