Swiss telecoms giant Swisscom has admitted that it suffered a serious security breach in the autumn of 2017 that saw the theft of contact details of approximately 800,000 customers – most of whom were mobile subscribers.
Data exposed during the breach included:
- Customers’ first and last names
- Customers’ home addresses
- Customers’ dates of birth
- Customers’ telephone numbers
Interestingly, in a press release, Swisscom pointed a finger of blame at an unnamed third-party sales partner who had been granted “limited access” to the data in order that they could identify and advise customers approaching contract renewal.
That sales partner, Swisscom says, suffered its own security breach – somehow allowing its access keys to Swisscom to fall into criminal hands.
A routine check of Swisscom’s operational activities uncovered the unauthorised data access, and the offending partner’s access rights revoked.
Swisscom was at pains to point out that it had not been ‘hacked’ as such, and that customers’ sensitive passwords or payment information had not been compromised.
Regardless of whether you would call the criminals’ unauthorised use of a sales partner’s login credentials to access Swisscom customer information a hack or not is somewhat moot, as the impact is still the same. Customers were expecting the data to be stored securely, and the stolen data can now be abused by criminals.
Swisscom says that it has not identified any attacks against customers through exploitation of the breached data, but past experience tells us that criminal gangs are not afraid to ring a telecom firm’s customers, posing as the genuine telecoms firm, in order to steal money or trick customers into handing over sensitive information that could be used for identity theft.
In response to the incident, Swisscom says has introduced a number of systems to better protect personal data accessed by its partners:
- Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access.
- In the future, it will no longer be possible to run high-volume queries for all customer information in the systems.
- In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners.
Clearly affected Swisscom customers should be on their guard – especially against bogus telephone calls they may receive from criminals posing as their telecoms provider.
To read the original article:
https://www.tripwire.com/state-of-security/featured/swisscom-data-breach-exposes-customers/#new_tab