Photographee.eu - Fotolia
Vodafone has warned 1,827 customers that hackers have accessed their accounts, but insists that the mobile operator’s systems were not breached.
Cyber criminals accessed the accounts using email addresses and passwords acquired from an “unknown source external to Vodafone”, the company said.
The company is keen to avoid being seen in the same light as fellow mobile phone operator TalkTalk, which was hit by a cyber attack just over a week before.
Initially the TalkTalk breach was feared to have affected millions of customers, but the company now believes the breach potentially exposed only up to 21,000 customers’ banking details, up to 28,000 customers’ obscured payment card details, up to 15,000 customers’ dates of birth, and up to 1.2 million customer email addresses, names and phone numbers.
Vodfone detected that the hackers attempted to access some customers’ account details between midnight on 28 October and midday on 29 October 2015.
A similar incident was reported almost simultaneously by British Gas, but it is not known if they two incidents are connected in some way.
On 29 October 2015, British Gas warned around 2,200 of its 14.7 million customers that their email addresses, passwords and past energy bills have been published on the document-sharing site Pastebin.
The utility company has contacted the affected customers and assured them that its systems have not been breached and that no payment data has been exposed.
Vodafone said it had set up an investigation when the unauthorised access was detected to understand the facts to give affected customers the best possible advice.
The company said it had notified the National Crime Agency (NCA), the Information Commissioner’s Office (ICO) and telecoms regulator Ofcom on 30 October.
Like British Gas, Vodafone said its systems were not compromised or breached in any way. However, the company warned that hackers could have accessed account details including customer names, mobile numbers, bank sort codes and the last 4 digits of their bank accounts.
Read more about data breaches
- Hackers may have accessed the payment card details of up to 3,500 customers, warns finance publisher Dow Jones
- The HIV clinic data breach comes after repeated warnings in recent years by the ICOabout the risk of disclosing personal data through poor email practices
- More than 70% of executives say their organisations do not fully understand the risks associated with data breaches
- Most large enterprises already know much of what they need to do to protect themselves against data breaches – they just have not done it all
“Our investigation and mitigating actions have meant that only a handful of customers have been subject to any attempts to use this data for fraudulent activity on their Vodafone accounts,” the company said.
According to Vodafone, no credit or debit card numbers or details were obtained and the information exposed cannot be used directly to access customers’ bank accounts.
“However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts,” the company said.
Vodafone has blocked the affected accounts and is contacting customers directly to assist them with changing their account details.
The company has also contacted the banks of affected customers and loaded customers’ details into the Credit Industry Fraud Avoidance Service (CIFAS) database to ensure that bank or mobile operators will make additional checks to avoid fraud.
“No other customers need to be concerned, as the security of our customers’ data continues to one of our highest priorities,” Vodafone said.
Security experts have repeatedly advised holders of online accounts to ensure that usernames and passwords are unique to each account; that way, if one is compromised, the others will remain secure.
British Gas published guidelines on its website for staying safe online and the first point states: “It’s crucial to pick strong passwords that are different from each other for all your important accounts.”
Independent security consultant Graham Cluley said there is undoubtedly a huge problem with many people using the same password for multiple sites.
“The sensible approach is to use different passwords for every online account you have. And if, like me, you think you will never be able to remember all those complex, unique passwords – well, get yourself a password manager program to do the hard work for you,” he wrote in a blog post.
Brian Spector, CEO of cryptography firm Certivox, said the organisations need to move beyond password-based security.
“They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks. Two-factor authentication for protection works, but it’s hardly user friendly,” he said.
According to Spector, there are cryptographic security advancements available that combine multi-factor authentication with ease of use.
“Customers are rightly demanding to be protected when they submit their valuable personal information, and online services should consider taking that seriously,” he said.