Recently, a major telecommunications provided in Switzerland has been compromised which affected around 800,000 Swisscom customers. Data accessed includes first and last names, home addresses, date of births, and telephone numbers of Swisscom customers.
What went wrong?
The customer data, which belongs to around 10% of the Swiss population, was accessed by unauthorized parties by leveraging into the access already provided to a sales partner.
According to Swisscom, sales partners uses the customer data to identify and advise customers and conclude or amend contracts with them. Sales partners are given restricted access and access to customer data requires a username and a password.
The unauthorized parties pulled off the data of thousands of Swisscom customers by compromising a sales partner account, in which it used to sift through the data within reach of the sales partner account.
Even though an access protection was in place, it was not enough to ensure that massive amounts of data will not be pulled off using a sales partner account. The lack of tight data monitoring, query control limits, and two factor authentication all helped in making the access to customer data possible.
What can an attacker do with that data?
Even though data access is classified as "non-sensitive", there are a couple of things that could happen it these data fell into the wrong hands.
- It could help cybercriminals perform impersonation or social engineering attacks to gain access to other accounts belonging to the affected users.
- They could use the data gathered to perform password recovery and spear phishing attacks to multiple targets and gain further access to other accounts which may or may not belong to the Swisscom users.
These attacks not only exposes the individuals affected by the breach to the financial or personal consequences but also other companies as they could be exposed to account takeover fraud which costs billions of money to mitigate.
What should we do about it?
A couple of things can be done to prevent or limit this this kind of breach.
For companies, make sure that proper security practices are in place not only within the company itself but also in the third parties accessing customer or any sensitive information. Remember, security is only as strong as its weakest link.
- Always monitor account activities.
- Assign upper bound limit to database access to limit high-volume queries specially when accessing sensitive information.
- Enable two-factor authentication to accounts.
- Adhere to best practices password policy guidelines.
For users or owners of an account, always remember to be vigilant of your account activities. Enable alerts if possible and always take care of your password.
- Monitor account activities by setting up activity mail alerts if possible.
- Regularly change user password.
- Be wary of phishing and social engineering attacks.
There are a lot of things can be done to prevent or mitigate these kind of attacks. But most importantly it is the best practice to continuously monitor and improve security practices and skillset of individuals that are tasked to protect sensitive information as the security landscape is continually evolving over time.