In response to the recent scandal whereby O2 users found their data up for sale on the dark web, Richard Stiennon, Chief Strategy Officer for Blancco Technology Group believes that claiming they have been a victim of ‘credential stuffing’ is an insufficient excuse when attempting to compensate for the fact that their customers’ data has been leaked to the dark web.

Richard Stiennon, Chief Strategy Officer at Blancco Technology Group:

Richard Stiennon“Earlier this week, it was revealed that hackers stole customer data from telecommunications provider O2. Essentially, the hackers stole the data from another source nearly three years ago, but now they’re selling it on the dark web. The stolen data includes names, dates of birth, phone numbers, emails and passwords of O2 customers.

According to O2, this isn’t a data breach per se. Instead, they’re classifying it and their business as being the victim of a hacking tool called ‘credential stuffing’. In this case, hackers used ‘credential stuffing’ to breach a gaming site called XSplit and subsequently stole members’ login details three years ago. Then, in 2016, the hackers were able to match gamers’ login details from XSplit to indirectly hack into O2 users’ accounts. The major issue here is that a lot of people reuse the same usernames and passwords for various digital site logins. And at the same time, many of those digital sites and companies have a low-level authentication process in place to validate user account information.

This whole scenario and breach that O2 finds itself in really worries me. It just shows how easy and common it is for hackers to access, steal and eventually even use data that was stolen three years ago. And it’s alarming that nothing has been done by anyone to ensure this prior leak had no future repercussions. Why was the XSplit gamers’ data kept for three years? Were those users all current/active customers, or had they closed their gaming accounts and believed their information had been deleted? If those users were not all current/active XSplit users, then I would ask Xsplit why that data wasn’t permanently and completely erased?

The lesson here is two-fold. First, the gaming site, XSplit, needs to do some serious investigation and digging into what types of user data is stored, how long that data is kept, as well as when and where data needs to be removed when users end their service with the gaming site. Secondly, and this is really important, O2 should be careful about how it’s responding to this data breach. While it’s not inaccurate to indicate the technical reason for the data breach, it isn’t going to be beneficial to its business, its customers, its reputation and its long-term sustainability if it deflects responsibility to XSplit completely. At the end of the day, the hack of the O2 data was still made possible because of how it currently manages and retains data. And because it likely hasn’t implemented and enforced data retention policies, data has likely been stored and kept past its shelf life, or unnecessarily. Doing this only increases its exposure to cyber-attacks like this latest one.

A good start for O2 would have been to introduce a multiple point authentication system because human nature dictates that people aren’t going to stop using the same login details, but organizations still owe their customers complete data protection. And considering cyber-crime is now a bigger threat than traditional crime in the UK, it is more important than ever for companies to take data protection very, very seriously. With a few data retention policies, more stringent enforcement mechanisms and self-imposed compliance audits to adhere to stringent laws like EU GDPR, the future landscape of data security could be very bright, for both consumers and the businesses that they trust.”

Information Security Buzz