Swiss telecoms giant Swisscom has admitted that it suffered a serious security breach in the autumn of 2017 that saw the theft of contact details of approximately 800,000 customers – most of whom were mobile subscribers.
Data exposed during the breach included:
- Customers’ first and last names
- Customers’ home addresses
- Customers’ dates of birth
- Customers’ telephone numbers
Interestingly, in a press release, Swisscom pointed a finger of blame at an unnamed third-party sales partner who had been granted “limited access” to the data in order that they could identify and advise customers approaching contract renewal.
That sales partner, Swisscom says, suffered its own security breach – somehow allowing its access keys to Swisscom to fall into criminal hands.
A routine check of Swisscom’s operational activities uncovered the unauthorised data access, and the offending partner’s access rights revoked.
Swisscom was at pains to point out that it had not been ‘hacked’ as such, and that customers’ sensitive passwords or payment information had not been compromised.
Regardless of whether you would call the criminals’ unauthorised use of a sales partner’s login credentials to access Swisscom customer information a hack or not is somewhat moot, as the impact is still the same.
Swisscom says that it has not identified any attacks against customers through exploitation of the breached data, but past experience tells us that criminal gangs are not afraid to ring a telecom firm’s customers, posing as the genuine telecoms firm, in order to steal money or trick customers into handing over sensitive information that could be used for identity theft.
In response to the incident, Swisscom says has introduced a number of systems to better protect personal data accessed by its partners:
- Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access.
- In the future, it will no longer be possible to run high-volume queries for all customer information in the systems.
- In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners.
Clearly affected Swisscom customers should be on their guard – especially against bogus telephone calls they may receive from criminals posing as their telecoms provider.
But there’s another important lesson for companies of all shapes and sizes to learn: when you partner with third-parties, can you be confident that they will practice security as well as you do, and will take as much care of your customers’ data? Reduce the risk by putting in place layered defences, and minimise the risk by limiting the amount of data that partners can access.
Because it doesn’t really matter if it’s your partner that was the cause of the breach rather than you – it’s your brand that will be making the headlines, and could have a hard time rebuilding your customers’ trust.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.