Personal details of as many as 800,000 Swiss citizens, roughly 10 percent of Switzerland’s population, were compromised last year after mobile phone operator Swisscom suffered a massive data breach.
The breach compromised names, addresses, telephone numbers and email addresses of 800,000 Swisscom customers but sensitive data like passwords, conversation or payment data were not affected.
Leading Swiss telecom major Swisscom announced yesterday that it suffered a major data breach last year after ‘unknown parties’ gained unauthorised access to data stored by a sales partner. The breach compromised ‘non-sensitive details’ of 800,000 mobile and fixed line subscribers like first and last names, home addresses, dates of birth and telephone numbers.
According to Swisscom, the breach was discovered during a routine check of operational activities. The firm added that its own systems were secure and that hackers were not able to gain access to sensitive information such as passwords, conversation or payment data.
Speaking on why a sales partner was allowed to store such large amounts of data belonging to hundreds of thousands of subscribers, Swisscom said that sales partners are usually given limited access to such data ‘to enable them to identify and advise customers and conclude or amend contracts with them’.
‘Although the misappropriated personal data is classified as “non-sensitive” under data protection legislation, investigating the incident is a top priority for Swisscom. The relevant partner company access was blocked immediately,’ it added.
Even though Swisscom has decided to classify the compromised data as non-sensitive, Lisa Baergen, director at NuData Security Inc, believes that the breach may impact customers more severely than Swisscom would let us believe.
‘Although Swisscom reports that no credit card or payment information was exposed, having your name, address, and date of birth stolen can still cause problems. Cyber criminals use this information to create a complete profile of customers. Add a little social engineering, and they can start cracking all types of accounts and even open up accounts in consumers’ names.
‘Protecting data from breaches is becoming increasingly challenging. The millions of personal data records exposed only in the last months put all companies at risk of account takeover fraud. To turn it around, companies can implement intelligent ways to authenticate their customers. It is not enough to verify users by their personally identifiable information (PII) to access an online account, as this is so widely available – and low cost. Companies need a security intelligence that can evaluate not just the data but also the user behaviour through passive biometrics,’ she said.
To ensure that it will not suffer similar breaches in the future, Swisscom has taken a number of steps to ‘better protect access to such non-sensitive personal data by third-party companies’. These steps include stopping processes that allow anyone to run high-volume queries for all customer information in the systems, implementing two-factor authentication for all data access required by sales partners starting this year, and subjecting access by partner companies to tighter controls.
‘So far, Swisscom has not identified any rise in advertising calls or other activities against affected customers. There is no evidence of any harm to customers. In its commitment to transparency, Swisscom regards it as a priority to inform customers about the misuse of sales partner access rights and how to protect themselves from any possible misuse in the future,’ said Swisscom.
The firm also indicated that it may initiate legal action against the sales partner which was handling data compromised by hackers. ‘Swisscom has reported the incident to the Federal Data Protection and Information Commissioner (FDPIC). It is also considering legal proceedings and reserves the right to bring charges,’ it added.
Last year, research by Kaspersky Lab revealed that security breaches suffered by third-party vendors cost businesses over £1.2 million. Third party vendors often do not encrypt data belonging to their clients and are thus highly vulnerable to cyber attacks and data breaches.
‘Raising IT security budgets is only part of the solution, as the most staggering losses stem from the incidents involving third parties and their cyber-failures. While cyber security incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage,” said Alessio Aceti, head of the enterprise business division at Kaspersky Lab.
According to security firm UpGuard, if an enterprise with highly resilient and secure IT toolchain outsources the handling of sensitive or valuable data to a third-party vendor lacking such well-designed processes and systems, then the hiring enterprise should pay the price for any resulting exposure.
The firm has also said that enterprises and their vendors must share equal responsibility to ensure the security of sensitive data against exposure to the wider internet. Such responsibility will ensure that third party vendors will no longer be the weakest point in an organisation’s cyber defence system.