News
Vodafone the latest company to be hit by hackers – expert comment
November 2015 by
On Saturday, Vodafone UK said hackers had accessed the accounts of around 2,000 of its customers, the second cyber attack on a British telecoms company this month. The attackers had potentially gained access to the victims’ bank sort codes and the last four numbers of their bank accounts, along with their names and mobile telephone numbers, a Vodafone spokesman said. Only a handful of those affected in the attack had seen any attempts to use their data for fraudulent activity on their Vodafone accounts. "No credit or debit card numbers or details were obtained. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts," a spokesman said. The company was contacting all those involved and that other customers need not be concerned, he said.
“Immediately following any high profile cyber attack there are questions such as who, how and what - to a great extent this is immaterial. Most companies do collect significant amounts of personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the compromised user’s behalf.
This breach highlights a need for companies to place tighter controls on how their customers’ sensitive information is protected. If data is left unprotected, it’s not a matter of "if" it will be compromised - it’s a matter of "when". Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.
Many leading companies already employ format-preserving encryption to protect the data itself. Taking a data-centric approach to security, attackers would end up with unusable encrypted data instead of the current outcomes where there always the possibility of their customers’ personal information ending up in the hands of cyber criminals.
The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. But the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.
The value of this personal data to the cyber criminal has a much greater value. For example, where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organisation to pay appropriate attention to keeping our personal information safe.
Encryption of data is essential to protect customer data, not just when it is stored but throughout its entire lifecycle, wherever it is, and however is used within an organisation. This, along with a robust security stance is the only way to stop criminals profiting from stolen data.”
