One of Britain’s biggest mobile phone companies, Three, has admitted to a major cyber-security breach which could have exposed six million customers’ personal data at risk. Three Mobile admitted that hackers have successfully accessed its customer upgrade database after using an employee login. IT security experts from Ping Identity, NSFOCUS, Security Company Centrify, Alert Logic, Lieberman Software, Redscan, Informatica, Intercede, ESET, Certes Networks, RES, Verizon, WhiteHat Security, Barracuda Networks, ForgeRock, ZoneFox, Glasswall Solutions, Post-Quantum, Vectra Networks, WinMagic and Ipswitch commented below.
Hans Zandbelt, Senior Technical Architect at Ping Identity:
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
Barry Scott, CTO EMEA at Security Company Centrify:
Compromised credentials are the cause of many major breaches, and the way into the target network is often through trusted third-party suppliers or contractors who are breached first, and may not have such rigorous security as the real target.
Should the user whose credentials were used have had access to whatever data was stolen? Corporate networks often allow far too much access, to too much data, and to too many systems, rather than only allowing the access appropriate for someone’s job.
Multi-factor authentication, where entering a password is combined with other authentication methods, such as acknowledging a notification on your phone, can be used to stop the use of stolen credentials, and full session recording acts both as a strong deterrent to insider threats and a great tool for forensic analysis.
Three should advise affected customers how they can protect themselves against repercussions of this breach. Changing passwords, especially if using the same one on different websites, is often advised and people should have a heightened awareness of suspicious activity on bank accounts, and be especially vigilant for phishing mails.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
1. Enforce least privileges
2. Know where your data is and who has access
So many organisations we speak to know they have a problem, but find it a real struggle to control access, especially in these larger organisations. To mitigate:
Get visibility on how many records have been accessed and monitor who and why they have been accessing data
Get exposure to communication streams to ensure you can spot exfiltration
Enforce least privileges”
Jonathan Sander, VP of product strategy at Lieberman Software:
Gubi Singh, COO at Redscan:
“Companies need to realise that they have a duty to protect their customers by advocating tighter security controls and improving employee education of threats.
“Leaders need to head warnings now ahead of the EU’s General Data Protection Regulation which could see organisations landed with huge fines for suffering a breach.”
Greg Hanson, Vice President Worldwide Consulting at Informatica:
“Companies must move away from a damage-control mindset to a deep understanding of their sensitive information, so that they can implement data-centric security and protect it wherever it moves in the organisation. Unless companies understand exactly where their valuable assets originate, proliferate and reside, it is extremely likely that they will lose control of that data. And as the Three breach proves, companies must even prepare for an attack from the inside.”
Richard Parris, CEO at Intercede:
“Driven perhaps by a slavish devotion to short term margin and revenue growth, we now have what amounts to corporate blindness. The risks are well known, and the solutions are available, but rather than sort the issue, C-level executives and board members the world over simply hope their company isn’t next on the hit list.
“Digital trust is essential in an increasingly digital world and, if company executives and board members refuse to take action to protect their customers, it may be time for governments and regulators to get much more involved.”
Mark James, Security Specialist at ESET:
Whenever there is a breach we always ask about credit card and bank info being stolen because it’s tangible data we all relate to but you can change that. You can cancel cards, you could even change banks if you really wanted to, but some things are not so easy to change, your name, address, date of birth are all things we can’t just change because there’s a data breach. These things are tied intricately into our lives, and these details are the data that WILL be used in ongoing phishing and scam attacks. Mobile phones are an integral part of our lives, we as humans are nearly always on the lookout for a deal or a bargain and sadly cybercriminals are always on the lookout for a scam or a victim. Put the two together and with the three data you have some very nice bait to entice you into that bargain upgrade phone, all you need to do is follow the link and enter some details…….”
Please be very careful of emails or phone calls that offer deals that seem too good to be true, do some checks, make a phone call yourself, if the deal is genuine it will still be available in a few hours, after you have verified its validity.”
Dan Panesar, VP EMEA at Certes Networks:
“The only way to halt such breaches is for the industry to rethink trust. The industry needs to adopt a “Zero Trust” model in which it is assumed that every user might be compromised, and that no user is implicitly trusted. Any user might be a hacker in disguise. Organisations must adopt a ‘need to know’ access strategy, meaning users can only access the data they need to do their job. This means that when, not if, a hacker does pass a company’s outer defences, as has happened time and time again, they do not have free rein over the systems of a company holding the personal data of millions of customers.”
Jason Allaway, VP of UK & Ireland at RES:
It appears the vulnerability came from a legitimate employee log-in, which provided the gang with easy access to critical information. On top of this, it bought them valuable time before anyone at Three noticed the unusual behaviour. These are both factors why an insider threat can prove far more dangerous than brute-forcing your way into a network. Any log-in or access details need to be strictly monitored by companies to prevent these kinds of attacks happening.
I believe this points to an issue with the on- and off-boarding processes at Three. Such issues should be addressed by refining and automating such processes to ensure they are protected against risk. New joiners should be granted the correct access, and leavers should be stripped of access entirely. If companies secure the lifecycle, new joiners and those exiting the company will not expose an access point leaving open the door to an opportunistic cybercriminal.
Technology in this sense is one piece of the puzzle, but it isn’t the whole picture. It may be that this log-in was not given out maliciously. Someone may have left themselves logged in or ticked “remember my details” on a public computer – or left a device on the train in their rush to get off at the right stop. By educating staff, the likelihood of these sensitive details falling into the wrong hands can be drastically reduced.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
At this stage, we do not know how the password was acquired, but it has the hallmark of the increasingly common ‘three prong attack’ identified in our research. Many organisations are falling prey to these attacks that include: Sending a phishing email with a link pointing to the malicious website or mainly a malicious attachment; downloading malware onto an individual’s PC that establishes the initial foothold, and can be used to look for secrets and internal information (such as password) to steal or encrypt files; then using the credentials for further attacks, for example, to log into third party websites like banking or retail sites or in this instance ordering upgrades and stealing the phones.
Companies really need to get back to basics to stop such threats taking hold. For example: use two-factor authentication for systems and encourage users to use two-factor when logging into popular social networking apps; monitor all inputs and review all logs to help identify malicious activity; encrypt your data; train your staff and develop security awareness within your organization; and last but not least know your data and protect it accordingly, limiting who has access to it.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
Paul Lyden, VP Northern Europe at Barracuda Networks:
Jonathan Scudder, Chief Architect & Co-Founder at ForgeRock:
“Whether the incident at Three proves to be an insider breach or an external hack, there are steps that every business should be taking to ensure that they both recognise and can prevent the abuse of privileged access. For many companies, this is still an afterthought, and yet the cost of breaches is significant – $21,000 per day according to the Ponemon Institute’s 2015 report on the cost of cyber crime.
“Access control for employee accounts is not an on-off switch. As custodians of our data, companies need to actively review and manage their internal access controls using appropriate services and products. Protecting personal data is a significant challenge that cannot be taken lightly.”
Dr Jamie Graves, CEO at ZoneFox:
“The criminals plan appears to have revolved around ordering phone upgrades, intercepting them and selling them on for profit. This might sound like a farfetched idea – but that’s often why such cyber gangs succeed –their plans are so audacious, no one expects them to actually implement them.
“Attacks like this often happen stealthily and wreak havoc rapidly – it’s important companies become more alert to such breaches and realise that they are all vulnerable. Too many businesses focus on threats that come from outside their organisations, which while a warranted focus, simply does not cover all their bases.
“Insider threats can stem from both malicious behaviour from within, but also through unintentional carelessness from even the most diligent of employees. Organisations like Three must ensure they are educating all staff to the importance of secure login details, but also go a step further and ensure they have visibility and control of data flow, within the organisation, so that any unusual or suspicious behaviour can be immediately uncovered and combated. In Three’s case, two-factor authentication and IT user account monitoring should be improved moving forward, to bolster its existing security processes and reduce the likelihood of a similar breach occurring.”
Greg Sim, CEO at Glasswall Solutions:
It’s no longer good enough to simply roll out the usual security products and assume that you will be safe, by their own admission the anti-virus industry have accepted that they cannot stop a targeted and sophisticated malware attack and an entire industry has grown out of the forensic analysis and damage limitation tasks. But by the time this process takes place it could be too late and customer data is compromised. Organisations need to look to innovation to secure their systems and protect their customers,”
Andersen Cheng, CEO at Post-Quantum:
Three is just another example in a long line of similar incidents, including most recently Tesco Bank and at a larger scale Mossack Fonseca, the law firm at the centre of the Panama Paper leaks. All have one thing in common – a single point of failure from within their organisations that was readily exploited.
Organisations like Three must reconsider how they protect their highest-value data and intellectual property and who accesses it as, there is a risk someone who works at the company was either part of a criminal gang, or was careless with critical logins. They have to assume data will be stolen or compromised, however secure they may seem and however loyal an employee may be.
In the physical world, it is harder for an asset to be stolen in critical organisations, given the level of security that is naturally in place. People have to sign into a building just to gain access, let alone get their hands on important company assets, which are guarded and tracked at all times. It is this kind of preventative techniques that must be replicated in the digital world at large companies like Three, to ensure their reputation and revenues remain intact.”
Oliver Tavakoli, CTO at Vectra Networks:
“It’s troubling that Three only discovered the scale of the breach after receiving complaints from customers that scammers were fishing for their bank account details. With the availability of real-time detection methods today that provide insights needed to identify what’s happening at any given moment, and can analyse evidence of targeted attacks and data exfiltration, this lack of awareness is shocking.
“The most reputational damage comes not from the breach itself, but from how quickly an organisation can detect, understand and respond to the in-progress attack, as well how confidently it can advise customers of what exactly has gone wrong. With cyber attacks now being an inevitable eventuality, defence is desirable but detection is a must.”
Mark Hickman, COO at WinMagic:
“You may not be able to remove human factors from the variables that impact security, but with the correct application of encryption technology and policy control you can ensure that your data has a final line of defence, that will remain when all others fall.”
Michael Hack, Senior Vice President of EMEA Operations at Ipswitch:
“Under new proposed EU data protection law (GDPR) fines for this kind of breach are set to increase drastically for private sector organisations to up to 4% of global turnover. Organisations can’t take chances when it comes to IT security and must make sure critical information is kept safe. By automating, managing and controlling all file transfers from a central point of control, employees can easily send and share files using IT approved methods. The IT department also gains complete control over activity. It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.