This notification is possibly the first major breach made visible under the new tough EU Telecoms rules on data privacy.
The data stolen includes “names, addresses, birth date, gender, bank sort code and bank account numbers for approximately 2 million applications from individuals seeking to sign up with Vodafone Germany”. The key word here is seeking to sign up. This is likely the web applications where customers fill out forms, send in credit and bank details for verifying identity. Ironically, while this streamlines a business process to get a new customer a phone, its perfect data to commit Identity theft.
So here, as far as notification is concerned, Vodafone seem to doing the right thing by being transparent. However, the fact the breach took place at this scale raised questions about how data is being protected in enterprise systems. This is also a significant breach and will certainly have high cost ramifications. Similar scale breaches at payment processors here in the US for example – networks processing payments – have cost in the $95m to $140m range. That’s a big slice of a budget to any enterprise. And it’s not just the fines from the regulators – it’s the remediation work: risk analysis and process breakdown discovery, heavy duty audits, and the cost of revisiting security strategies to ensure customer trust isn’t further weakened by another similar attack. Mobile customers are quick to change providers – so business losses from the revenue associated with 2 million customers is also a significant financial risk.
Telecoms networks are a huge target for attackers, especially the big players. They process massive amounts of data on a continuous basis, and much of it is sensitive. As a network provider, their data flies around everywhere – inside and outside the enterprise. While there aren’t details of the how’s and whys of this insider attack right now, many large organisations fall into the trap of utilising data at rest encryption which does absolutely nothing to protect data in use, in motion, or as its used by applications. I suspect that’s exactly where this breach took place – tapping into data as it’s decrypted (or not) off disk and on the network. It’s a common method of theft by advanced malware sniffing data either in memory or as it travels point to point, and of course, potentially low hanging fruit for an insider. In the US, both the payment processing and telecom industry leaders have adopted a completely new data protection strategy to mitigate these risks – data-centric security which renders any stolen data completely useless to the attacker, while still enabling the applications to function as before – at massive payment processor and telecoms carrier scale. That’s a big deal – especially when there’s a need to protect data across typical Telecoms infrastructure where you’ll find all sorts of platforms – HP Nonstop, IBM Mainframe, Open Systems, legacy and contemporary applications spanning both enterprise, Hadoop and Cloud. What’s consistent across these platforms is the data. That’s why data-centric security is the new frontier of mitigating attacks. Protect the data, not the server or disk. It’s the data attackers want.
This won’t be the last such breach. The new regulations will be putting more pressure on Telecoms firms in the EU and notifications will become more common for sure for those not taking a new approach to data protection.
The good news is the tools are already here to address this risk head on – at scale, and across the entire enterprise or network. Lastly, with government standards recognition of the approaches (such as NIST 800-38G – Format-Preserving Encryption), even the most demanding organizations have the assurance of independent validation and proofs of security necessary for standards process adoption and for assurance of reducing risk of a breach.
In the meantime, any customer affected should be monitoring their bank accounts very, very closely.