One of Vodafone’s servers has been hacked in Germany, giving those responsible access to personal information for 2 million people who had applied for a new contract or account with the network operator.

Spotted by Engadget (via Bloomberg) Vodafone says the attack appears to have been carried out by one of its own employees and that the police has already identified an individual and seized their assets.

The data breach covered the names, addresses, birth date, gender, bank sort code and bank account numbers. Vodafone stressed that credit card details, mobile phone numbers, passwords or PIN numbers were not obtained for any of its customers in Germany.

“In the absence of passwords, PINs or credit card details it is very unlikely that criminals would gain direct access to an individual’s bank account,” the company said. “However, there is a heightened risk that the criminals may request a fake direct debit application which would be immediately visible to the account holder and which could be immediately blocked or reversed under well-established banking protection measures.”

The breach only affects Vodafone customers in Germany, and the company has already reached out to all individuals they believe to be affected. Vodafone is also warning all of its subscribers to be extra careful about potential phishing attacks at this time.