The data of approximately 800 000 Swisscom customers has been exposed due to a misappropriation of one of its sales partner's access rights.
The data, classified as "non-sensitive" under the data protection laws, included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers. No passwords, conversations or payment data were exposed.
Better protection
Swisscom said in a statement that investigating the incident is a top priority, and that the partner company in question had its access blocked immediately. In addition, Swisscom said it made a number of changes to better protect access to this type of non-sensitive personal data by third-party companies.
"Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access. In the future, it will no longer be possible to run high-volume queries for all customer information in the systems. In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners."
Swisscom says these controls will prevent such an incident from happening in the future, adding that it had reported the incident to the Federal Data Protection and Information Commissioner.
Opportunities for attackers
Ilia Kolochenko, CEO of Web security company High-Tech Bridge, says although globally speaking this breach is a drop in the ocean, it will likely affect almost every family in Switzerland.
The exposed data could give attackers a slew of opportunities, ranging from impersonation and password recovery, to a variety of spearphishing and sophisticated fraud campaigns.
"Switzerland is one of the most wealthy countries and represents a great interest for cyber gangs. This data can be exploitable during the next few years and may cause substantial harm in the long run."
He said this breach also shines the spotlight on the security of third-party partners. "This is a major and widely unaddressed problem nowadays. Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third-parties."
Today's cyber criminals don't necessarily have to attack their target organisation directly. All that is needed for them to succeed is a third-party supplier or partner who has weaker security, and legitimate access to the target. "We are seeing more and more companies who rigorously implement, for example, vendor risk assessment policies now, to prevent such risks."
Kolochenko adds that although Swisscom's efforts to mitigate and investigate the breach are commendable, they won't do much for the victims. "Free Webinars on cyber security and phishing prevention for the victims would be very helpful to prevent exploitation of the stolen data and to raise their overall level of security awareness."
Share