On
Saturday, Vodafone UK admitted that hackers had accessed the accounts
of around 2,000 of its customers, the second cyber attack on a British
telecoms company this month. The attackers had potentially gained access
to the victims’ bank sort codes and the last four numbers of their bank
accounts, along with their names and mobile telephone numbers, a
Vodafone spokesman said. Only a handful of those affected in the attack
had seen any attempts to use their data for fraudulent activity on their
Vodafone accounts. “No credit or debit card numbers or details were
obtained. However, this information does leave these 1,827 customers
open to fraud and might also leave them open to phishing attempts,” a
spokesman said. The company was contacting all those involved and that
other customers need not be concerned, he said.
Andy Heather, VP EMEA at HPE Security – Data Security comments:
“Immediately
following any high profile cyber attack there are questions such as
who, how and what – to a great extent this is immaterial. Most
companies do collect significant amounts of personal information on
their customers such as their addresses, identification numbers and
dates of birth. If left unprotected, this information would give the
attackers almost all of the information they need to undertake
fraudulent activity on the compromised user’s behalf.
This
breach highlights a need for companies to place tighter controls on how
their customers’ sensitive information is protected. If data is left
unprotected, it’s not a matter of “if” it will be compromised – it’s a
matter of “when”. Even the best security systems in the world cannot
keep attackers away from sensitive data in all circumstances. When a
company is storing sensitive information about their customers, the risk
is to the data itself. Therefore, a company needs to assume that all
other security measures may fail, and the data itself must be a primary
focus for protection – via encryption. It is critical to note that this
protection needs to include all potentially sensitive information and
not just financial related data.
Many
leading companies already employ format-preserving encryption to
protect the data itself. Taking a data-centric approach to security,
attackers would end up with unusable encrypted data instead of the
current outcomes where there always the possibility of their customers’
personal information ending up in the hands of cyber criminals.
The
theft of financial information credit card or account information has a
limited lifespan, until the victim changes the account details etc. But
the personal information that can be obtained by accessing someone’s
account profile has a much broader use and can be used to commit a much
wider range of fraud and identity theft, and simply cannot be changed.
The
value of this personal data to the cyber criminal has a much greater
value. For example, where the selling price for a single stolen credit
card is around $1, if that card information is sold with a full identify
profile that can dramatically increase up to $500. If the cyber
criminals know where the real value is then surely we should all expect
responsible organisation to pay appropriate attention to keeping our
personal information safe.
Encryption
of data is essential to protect customer data, not just when it is
stored but throughout its entire lifecycle, wherever it is, and however
is used within an organisation. This, along with a robust security
stance is the only way to stop criminals profiting from stolen data.”
Share