tashka2000 - Fotolia
Swisscom has announced it is to tighten security after “unknown parties” used credentials stolen from a sales partner to access some customer data.
The breach was discovered during a routine check of operational activities and was made the subject of an in-depth internal investigation, the company said.
In response, Swisscom said it blocked the affected partner company access and has added more controls around third-party access to customer data.
These include a ban on high-volume queries for all customer data, requiring two-factor authentication to access data, and monitoring systems to block any unusual activity.
But Swisscom has downplayed the breach, pointing out that only “non-sensitive” data that is in the public domain was accessed and that no financial data was affected or passwords exposed due to “rigorous long-established” security mechanisms.
The company also said it has not identified any rise in advertising calls or other activities against affected customers.
However, the exposed data did include the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers, which security commentators said could still be exploited by cyber criminals and is fairly significant in the Swiss context.
“Globally speaking, it’s a drop in the multi-billion ocean of data breaches. However, for Switzerland, it is a very important data breach that will likely affect almost every family in the country,” said Ilia Kolochenko, CEO of Geneva-based web security company High-Tech Bridge.
“The exposed data provides cyber criminals with a great wealth of opportunities, from impersonation and password recovery, to various spear phishing and sophisticated fraud campaigns,” he said.
According to Kolochenko, Switzerland is one of the most wealthy countries and represents a great interest for cyber gangs. “This data can be exploitable during the next few years and may cause substantial harm in the long run,” he said.
Lisa Baergen, director at NuData Security, a Mastercard Company, said the exposed data could potentially cause problems because it can be used by cyber criminals to create a complete profile of customers. “Add a little social engineering and they can start cracking all types of accounts and even open up accounts in consumers’ names,” she said.
According to Baergen, the millions of personal data records exposed only in the past few months put all companies at risk of account takeover fraud. “To turn it around, companies can implement intelligent ways to authenticate their customers, such as behaviour-based authentication methods,” she said.
Importance of GRC processes
The Swisscom breach once again underlines the importance of extending governance, risk management and compliance (GRC) processes across the supply chain, especially in the light of the European Union’s (EU’s) General Data Protection Regulation (GDPR).
According to governance expert Raef Meeuwisse, GRC processes all too often end at the network perimeter. “As a result, organisations are relying on procurement contracts and trust beyond that, which is not a very effective approach,” he told a recent RSA seminar in London.
Security of the third-parties, such as partners, is a major and widely unaddressed problem, said Kolochenko. “Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third parties. Cyber criminals won’t assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels,” he said.
“However, the good news is that we see more and more companies that rigorously implement, for example, supplier risk assessment policies to prevent such risks.”
Reiterating that there is no evidence of any harm to customers, Swisscom said it is committed to transparency, and therefore regarded it as a priority to inform customers about the misuse of sales partner access rights and how to protect themselves from any possible misuse in the future.
Towards this end, Swisscom said it is offering is an SMS-based service to enable customers to check if their data was affected. The company is also advising customers to be wary of any unusual or cold calls, and to report any increase in calls from unknown numbers to Swisscom.
Kolochenko said although Swisscom’s efforts to mitigate and investigate the breach are laudable, customers would benefit from free webinars on cyber security and phishing prevention to help prevent exploitation of the stolen data and to raise their level of security awareness.
The Swisscom breach also underlines the potential impact of data breaches on an organisation’s reputation, which is important in the light of a new survey that shows that a company’s reputation relating to its handling of customer data makes an impact on buying decisions, according to 78% of European and US consumers polled.
“The fact that data has been compromised does little to strengthen the bond of trust between consumers and those firms harbouring their data,” said Peter Carlisle, vice-president for Europe at Thales eSecurity.
“The heavy fines provided for in GDPR mean that robust cyber security measures must be an absolute priority for today’s businesses,” he said, adding that Thales research shows that half of UK consumers do not believe commercial organisations care about their digital privacy.
“Although Swisscom is not headquartered inside the European Union, these incidents underscore this view and highlight precisely why data security methods must be watertight to mitigate the evolving threats posed by hackers,” he said.