According to BBC reports, O2, one of the biggest UK mobile networks, appears to have suffered a data breach. The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. Security experts at MIRACL, Lieberman Software, Comparitech.com, ESET, Veracode and Intercede commented below.
Brian Spector, CEO at MIRACL:
“But the bigger problem here is that the convention never changes. Until we consign passwords to the history books, data breaches will continue to feature in our news feeds. Passwords don’t scale for users, they don’t protect individual services and they are vulnerable to a myriad of attacks. Customers are usually advised to change passwords when a breach like this occurs, but that won’t protect users from database hacks. The only way to move forwards is to distribute trust across multiple points with rigorous authentication technologies, thus eliminating the single point of compromise.”
Lee Munson, Security Researcher at Comparitech.com:
“Customers of all companies can be subjected to something known as “credential stuffing,” whereby an attacker tries stolen usernames/email addresses and passwords on other popular websites and services, with the success rate of such an attack depending entirely on how savvy the victims have been with their password management.
“Given the fact that many people only have access to one or two email accounts, password variety is essential because, otherwise, if one account is compromised, all potentially are.
“That’s why password managers are so essential these days. By setting one up, all you need to remember is one complex master password – the program will securely take care of the rest for you.
“And if you are an O2 customer?
“I think it’s better to be safe than sorry – change your password now, as well as any other duplicates you may be using elsewhere on the web – if the story is false all you’ve wasted are a few minutes. If it’s true, and you don’t take care of your login credentials, you could be in for a huge amount of financial and other types of pain.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
Mark James, security specialist at ESET:
The problem with reusing passwords is when a location gets breached that does not have very good security the criminals will take that data and use it to attempt to log into websites for monetary gain. It makes no difference how good the security is for PayPal if you use the same username ( often your email address) and password on a smaller not so well protected site.
Credential stuffing is basically taking your details that you have used elsewhere, inputting them into a program that will try those details in lots of other sites looking for successful logons. If you reuse your password you are making their job easier, it’s as simple as that. There are many often free options for helping you to make your data safer that anyone can download ( for free or purchase ) and easily setup.”
John Smith, Principal Solution Architect at Veracode:
“With the dark web providing ever more enterprise opportunities for cyberattackers through the resale of personal information, it is critical that organisations of all sizes have robust cybersecurity defences to prevent their customer data being stolen and sold off. However, too many organisations continue overlook simple best practice with severe consequences, such as the TalkTalk mega breach achieved using a common SQL injection.
“Cybercrime is increasingly becoming commoditised with the rise in exploit kits and YouTube tutorials on exploiting vulnerabilities. This means launching an attack – even without personally possessing the necessary cyber skills – has never been easier.
“Hacks don’t just leave customer data at risk, they severely impact the reputation and trust in the organisation. It is therefore crucial that all possible attack vectors are closed off, before their all-important data finds its way into the wrong hands.”
Jon Geater, CTO at Thales e-Security:
“This incident further underlines the importance for businesses to change the way they think about data protection, extending their encryption policies to cover all personally identifiable information and account data to prevent it falling into the wrong hands.”
Richard Parris, CEO at Intercede:
The customers affected by breaches of this nature are those who recycle their passwords across multiple identities but it’s time that service providers stopped blaming their customers for what is grossly inadequate security. Simple password-based authentication just doesn’t work – none of us can possibly remember enough complex passwords to make the approach viable.
“It’s imperative that organisations now reject simple password authentication and adopt secure alternatives before consumers lose complete faith in the online services provided to them. In the ‘age of the hack,’ the future of online security relies on a much more proactive stance; embedding measures into the very fabric of technology we use in our everyday lives, from the silicon chips used in smartphones, to the apps and services these sites offer. If not, will large-scale data breaches ever be a thing of the past?”
In an independent survey of 2,000 16-35 year old consumers it was revealed that very few place any significant trust in companies’ ability to protect their personal data. For telecommunications operators 40% described their level of trust as ‘none’ or ‘a little’.