Swisscom, the biggest telecom company in Switzerland, has suffered a data breach that resulted in the compromise of personal data of some 800,000 customers, i.e., nearly ten percent of the entire Swiss population.
“The data accessed included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers; contact details which, for the most part, are in the public domain or available from list brokers,” the company explained.
The data is classed as “non-sensitive” under Swiss data protection law. No sensitive data, such as passwords, conversation or payment data, was affected.
How did the breach happen?
Swisscom discovered the incident during a routine check of operational activities. The following investigation showed that the breach dates back to autumn of 2017.
Apparently, the attackers “misappropriated the access rights of a sales partner,” who are “given limited access to this data to enable them to identify and advise customers and conclude or amend contracts with them.”
Access to the system required them to enter a username and password and, obviously, the attackers have compromised some of these login credentials.
The third-party company in question has not be named, but Swisscom is adding new security features to prevent a similar incident from occurring in the future.
These include the introduction of two-factor authentication for all data access required by sales partners, tighter access controls, and a ban of high-volume queries for all customer information.
“Globally speaking, it’s a drop in the multi-billion ocean of data breaches. However, for Switzerland, it is a very important data breach that will likely impact almost every family in the country,” Ilia Kolochenko, CEO of High-Tech Bridge, told Help Net Security.
“The allegedly stolen data provides cyber criminals with a great wealth of opportunities: from impersonation and password recovery to various spear phishing and sophisticated fraud campaigns. Switzerland is one of the most wealthy countries and represents a great interest for cyber gangs. This data can be exploitable during the next few years and may cause substantial harm in the long run.”
Swisscom has said that they haven’t identified any rise in advertising calls or other activities against affected customers, but advises users to be on the lookout for unusual or cold calls.
This is just the latest in a long string of breaches that started with the compromise of the security of target companies’ partners.
“Security of the third-parties, such as partners, is a major and widely unaddressed problem nowadays. Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third-parties,” Kolochenko noted.
“Cyber criminals won’t assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels. However, the good news is that we see more and more companies who rigorously implement, for example, vendor risk assessment policies now, to prevent such risks.”
Peter Carlisle, VP EMEA, Thales eSecurity noted that although in this instance no password or payment data has been directly affected, the fact that data has been compromised in itself does little to strengthen the bond of trust between consumers and those firms harboring their data.
“With the introduction of the EU GDPR on the horizon, the risk of heavy fines will be hanging over those organizations who fail to protect themselves appropriately against breaches, meaning that robust cybersecurity measures must be an absolute priority for today’s businesses,” he pointed out.
“Our own research has highlighted that half of UK consumers do not believe commercial organizations care about their digital privacy. Though Swisscom is not headquartered inside the European Union itself, these incidents underscore this view and highlight precisely why data security methods must be watertight to mitigate the evolving threats posed by hackers.”