Following the news that the mobile phone company, Three has experienced a fresh data breach with some customers being able to access stranger’s accounts, IT security experts from Zscaler, OwlDetect, CipherCloud, RES and ZoneFox commented below.
Chris Hodson, EMEA CISO at Zscaler:
“Just four months on, it’s concerning that users are seeing their personal data up for grabs again. Last time we were reassured that improved controls had been put in place, but what were these and how could this risk recur?
“Additional worries lie on how Three Mobile is addressing the issue. Reassuring customers that no financial details were exposed is irrelevant. If users are able to see other customers’ bills, then there’s a totally feasible scenario where one user could ask for a replacement sim based on the billing details, get a replacement phone and reset passwords for major accounts – including banking. This has real implications for identity fraud.
“What’s more, with a year to go until the GDPR comes into force, it’s a reminder of how far behind some firms are in their preparations. No company will want a breach to come as a surprise as we move into a legislatory minefield with excruciating consequences for non-compliance. Identification needs to be a priority moving forwards, so that dwell time can be reduced and unnecessary harm mitigated. Moving on from that, prevention can be achieved using platforms that meet GDPR requirements and are architected with ‘security and privacy by design”
Professor Richard Benham, Security Advisor at Online Service OwlDetect:
“The privacy issues affecting Three are the latest in a long line of leaks and cyber attacks that we’ve seen this year. Any breach is cause for concern of course, but for a company of this size with access to such a large bank of customer information it’s particularly serious.
“For any concerned Three account holders, the important thing is that it’s not too late to regain control of the situation. Whether they were affected by this leak or the company’s previous breach last year, there are proactive steps they can take to help safeguard their data online.
“The best precaution is to immediately clear all cookies, saved passwords and information such as credit card details on their computer or device. It’s also advisable to change any Three passwords and ensure they aren’t being used elsewhere online, and of course they should keep a close eye for any unusual activity on their monthly bill as well. These are simple steps, but together they should help protect their data on the web and prevent any further impact.”
Willy Leichter, VP of Marketing at CipherCloud:
“While this appears to be an internal IT blunder, rather than an external hacking incident, these kinds of careless errors will have serious repercussions with the upcoming GDPR, which will affect the UK both pre- and post-Brexit. Mistakes will continue to happen, but this kind of direct exposure of customer data would directly violate most data protection laws, and likely cause significant fines and further reputational damage for the business.”
Jason Allaway, VP UK & Ireland at RES:
“It’s disappointing to see that Three have suffered another major data breach – especially with how close we are to GDPR being implemented. With stricter data rules coming into play in just over a year, you would think that Three would have begun to tighten its handling of data, storing and indexing it appropriately under the watch of data protection officers.
Three needs to acknowledge that it is a holder of mass data; an issue that is commonplace in the run up to the GDPR legislation. From mobile service providers to shopping delivery companies, these businesses store a huge amount of customer data including names, addresses, personal information and often credit card details. Yet as these companies aren’t regulated in the same way as the banks or other financial institutions are, they often don’t have all the information to hand about how data regulations affect them.
Today’s breach should act as a stark warning to all companies: if you hold data, regardless of your industry, then you have to protect it. And not just in the future, but now. Companies need to be proactive and have their data storage duck in a row before stricter legislation lands next year.”
Dr Jamie Graves, CEO at ZoneFox:
“Twice in 12 months, Three have faced two severe data breaches. In November last year 210,200 of their customers had their data stolen, and now a technical error in the company’s system is showing strangers’ personal information and phone records. Customers are unsure who has accessed their data, for how long and what is then done next with it. Perhaps if the company had insights into data flow and user behaviour this would help them avoid issues like this occurring and provide greater oversight. After all, prevention is better than the cure.
“Much like the unintentional insider threat, not all Three customers would think to sell information on the dark web or use it maliciously. But there will be some opportunists out there whose cunning minds have spotted this chance.
“With the looming EU GDPR regulations, businesses must put the protection of their customers’ data at the fore, as they will have to declare data breaches, and detail the scope of such breaches, within 72 hours. A lot of learning must be done by businesses on how they deal with a breach and manage their customers’ personal data to ensure businesses are on the front foot.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.