In response to the news that Telefonica has suffered a data breach which exposed the details of millions of Spanish users, Rob Shapland, IT security experts commented below.
Rob Shapland, Principle Cyber Security Consultant at Falanx Group:
“Telefonica will need to assess the scope of the breach in order to understand how it impacts GDPR. Has the breach been exploited and the information stolen by hackers? If so, they will certainly need to inform the GDPR supervisory authority, and very likely each of the affected customers. They could then be liable to fines of up to €20 million or 4% of their global turnover (their turnover is $53 billion, so potentially over €2 billion in fines though that is highly unlikely).
Flaws like this are quite common in websites. It does imply that the website has not been tested against industry best practice as the flaw that was exploited should be easily discovered during penetration testing. It could also be that Telefonica made changes to the system without running additional checks, which then introduced the vulnerability.
Customers who have been affected should update their password on Telefonica’s systems (and any other websites that same password was used), just in case passwords were exposed, though there is no evidence of this at this stage. It would also be prudent for customers to update their security questions on any key websites such as online banking, in case the personal info that was stolen could be used to answer these questions.”
Ryan Wilk, Vice President at NuData Security:
“This sort of data exposure is why so many organisations who transact with customers online – from the banking and finance sector to eCom and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics. In doing so, they’re shifting from “let’s make our company a bunker for everyone” to “let’s leave the bunker for risky users only.” They do so by using technology that doesn’t rely on data that could have been exposed in a breach, thus preventing post-breach damage.
“For years now, many top merchants and financial institutions have incorporated passive and active biometrics and behavioural analytics to verify customer identities online. By analysing hundreds of indicators derived from the user’s online behaviour, companies don’t have to rely on passwords, payment data, and other leaked information to make an authentication decision. Removing the organisation’s reliance on ‘things users know’, companies are far less vulnerable to the data exposed by leaks and breaches.
“Passive biometric technology cannot be mimicked by hackers, and helps break the chain of perpetual fraud that grows whenever customer data is breached and stolen.”