Prying eyes steal customer data at a major EU Telco: How to avoid insider data theft.
Another large breach has hit the streets. This time, Vodafone in Germany seems to be the victim of an attack – from the inside.
You can read about it here – http://www.csoonline.com/article/739562/insider-tied-to-vodafone-breach-in-which-2-million-records-were-compromised
This notification is possibly the first major breach made visible under the new tough EU Telecoms rules on data privacy.
The data stolen includes “names, addresses, birth date, gender, bank sort code and bank account numbers for approximately 2 million applications from individuals seeking to sign up with Vodafone Germany”. The key words here are “seeking to sign up”. This is likely the web applications where customers fill out forms, send in credit and bank details for verifying identity. Ironically, while this streamlines a business process to get a new customer a phone, its also perfect data to commit Identity theft. This is one the reasons why Voltage’s Retail Solution (http://www.voltage.com/solution/secure-commerce-for-retail/) is so popular – we enable enterprises to protect data end-to-end from the consumer’s browser to the trusted systems deep in the enterprise, cloud, or processing environment to protect it from capture to the trusted application – the only systems that should have access to live data.
So here, as far as notification is concerned, Vodafone seem to doing the right thing by being transparent. However, the fact the breach took place at this scale raises questions about how data is being protected in enterprise systems. This is also a significant breach and will certainly have high cost ramifications. Similar scale breaches at payment processors here in the US for example – networks processing payments – have cost in the $95m to $140m range. That’s a big slice of a budget to any enterprise. And it’s not just the fines from the regulators – it’s the remediation work: risk analysis, process weakness discovery, heavy duty audits, and the cost of revisiting security strategies to ensure customer trust isn’t further weakened by another similar attack. Mobile customers are quick to change providers – so business losses from the revenue associated with 2 million customers is also a significant financial risk.
Telecoms networks are a huge target for attackers, especially the big players. They process massive amounts of data on a continuous basis, and much of it is sensitive. As a network provider, their data flies around everywhere – inside and outside the enterprise. While there aren’t details of the how’s and why’s of this insider attack right now, many large organizations fall into the trap of only utilizing data at rest encryption which does absolutely nothing to protect data in use, in motion, or as its used by applications. I suspect that’s exactly where this breach took place – tapping into data as it’s decrypted (or not) off disk and on the network. It’s a common method of theft by advanced malware: sniffing data either in memory or as it travels point-to-point on networks. Such data is low hanging fruit for an insider on the lookout for sensitive data “gold”. In the US, both the payment processing and telecom industry leaders have adopted a completely new data protection strategy to mitigate these types of risks. Its called “data-centric” security which renders any stolen data completely useless to the attacker, while still enabling the applications to function as before and at massive payment processor and telecoms carrier grade scale. That’s a big deal – especially when there’s a need to protect data across typical Telecoms infrastructure where you’ll find all sorts of platforms and hundreds of data stores across HP Nonstop, IBM z/OS Mainframe, Open Systems, legacy and contemporary applications spanning both enterprise, Hadoop and Cloud. What’s consistent across these platforms is the data. That’s why data-centric security is the new frontier of mitigating attacks. Protect the data, not the server or disk. It’s the data attackers want.
This won’t be the last such breach. The new regulations will be putting more pressure on Telecoms firms in the EU and notifications will become more common for sure for those not taking a new approach to data protection.
The good news is the tools are already here to address this risk head on – at scale, and across the entire enterprise or network. Lastly, with government standards recognition of the approaches (such as NIST 800-38G – Format-Preserving Encryption), even the most demanding organizations have the assurance of independent validation and proofs of security necessary for standards process adoption and for assurance of reducing risk of a breach.
In the meantime, any customer affected should be monitoring their bank accounts very, very closely.