<div dir="ltr"><a href="http://realbusiness.co.uk/article/34182-yet-again-the-importance-of-securing-data-at-source-has-been-made-obvious-thanks-to-o2">http://realbusiness.co.uk/article/34182-yet-again-the-importance-of-securing-data-at-source-has-been-made-obvious-thanks-to-o2</a><br><div id="gmail-article-body" class="gmail-article__body"> <p class="gmail-h4 gmail-article__intro">The
revelation that O2 customer data is now for sale on the dark web has
brought the issue of mandatory data breach reporting firmly back into
the spotlight – as well as the importance of setting secure defences.</p> <p>It has been revealed that <a href="http://www.bbc.co.uk/news/technology-36764548">O2 customer data is being sold by criminals on the dark net</a>.
The data, which includes names, phone numbers, email addresses and
passwords, appears to have been obtained by hackers logging onto O2
accounts using credentials initially stolen from gaming website XSplit
in November 2013.<br></p><p>At the head of the debate is the fact that
the data hadn't been fully encrypted – and that O2 should have learned
from the numerous other firms that recently felt the burn for the same
reason. For example, TalkTalk was, in 2015, also criticised for its
“blasé approach” to encrypting customer data.</p><p>Of the matter, Trent
Telford, CEO at Covata, said: “The data was stolen years ago and
hackers used software to repeatedly attempt to login to the O2 accounts,
seemingly with considerable success. If the information had been put
through robust encryption at creation, it would have simply been an
unusable mass of unreadable data.” </p><p>And according to Ross Brewer,
VP and MD of EMEA at LogRhythm, this is a clear example of the
collateral damage caused by stolen credentials. The hackers used a
technique known as credential stuffing, which sees criminals use
software to repeatedly attempt to gain access to customers’ online
accounts using stolen login details.<br></p><p>
“Credential stuffing will undoubtedly become a bigger threat over the
next few years as it becomes easier for hackers to get their hands on
personal information dumped on the dark web,” Brewer said. “As
organisations become better at blocking traditional brute force attacks,
hackers are changing their tactics, using automation tools to determine
which, out of all the credentials they have, can unlock the doors to
more confidential and sensitive information.</p><p>"This breach should
act as a warning to businesses not to rely solely on traditional
perimeter tools, which won’t detect a 'seemingly normal' log-in attempt.
Previously hackers have had to spend time and effort working out which
stolen credentials are valuable, but they now have the tools to
identify these instantly, and businesses need to be prepared to be
targeted much more successfully."</p><p>It’s more important than ever,
he explained, that businesses understand that data will go to places
where it can’t be controlled. It needs to be protected from the ground
up, which should involve users having to pass authentication checks
every time they wish to gain access. </p><p>Telford added: “Of course,
the story also highlights the need for consumers to regularly change
their passwords. Despite its age, the data was still relevant. It’s
quite probable that the login details will work on accounts with other
companies too. Consumers often view gaming websites as innocuous,
believing that a hack wouldn’t have far reaching ramifications, but
cybercriminals are happy to play the long game. They target websites
likely to have weak encryption, enabling them to take the information
and use it elsewhere. Ultimately, while organisations undoubtedly have a
duty to secure data, consumers should still remain vigilant and take
steps to protect themselves.”</p><p>Most importantly, With the European
Union General Data Protection Regulation (GDPR) coming into effect in
May 2016, businesses have just under two years to change data privacy
policies in order to ensure compliance – and get to grips with reporting
data breaches in a timely manner.</p><p>“Often organisations wait to
inform customers of a breach, but under the GDPR companies will be
required to notify national data protection authorities of a serious
data breach within 72 hours," said Eduard Meelhuysen, VP EMEA at
Netskope. "In certain cases, businesses will also be required to notify
affected individuals so they can take necessary precautions and remain
vigilant to cyber criminals making use of their compromised data. </p><p>"Many
businesses may initially struggle to comply with such strict measures
but this latest cache of stolen data only emphasises the importance of
identifying and reporting not just the breach itself, but also the data
most likely to have been affected, as quickly as possible. If those
individuals affected by the initial XSplit breach had been warned of the
breach in good time, they may have been able to change log in details
quickly for any sites which they accessed with the same passwords.</p><p>“With
many O2 customers wondering if their data are still available for sale
on the dark web now, businesses must wake up to the need for a fast
response once data have been compromised. In particular, as more data
are stored off-premises, organisations need to ensure the correct
security controls are in place, remain vigilant to unusual user
behaviour and take active measures to secure data – especially in the
cloud.”</p>
</div><br></div>