[BreachExchange] Yet again, the importance of securing data at source has been made obvious thanks to O2

[Inga Goddijn]

http://realbusiness.co.uk/article/34182-yet-again-the-importance-of-securing-data-at-source-has-been-made-obvious-thanks-to-o2

The revelation that O2 customer data is now for sale on the dark web has
brought the issue of mandatory data breach reporting firmly back into the
spotlight – as well as the importance of setting secure defences.

It has been revealed that O2 customer data is being sold by criminals on
the dark net <http://www.bbc.co.uk/news/technology-36764548>. The data,
which includes names, phone numbers, email addresses and passwords, appears
to have been obtained by hackers logging onto O2 accounts using credentials
initially stolen from gaming website XSplit in November 2013.

At the head of the debate is the fact that the data hadn't been fully
encrypted – and that O2 should have learned from the numerous other firms
that recently felt the burn for the same reason. For example, TalkTalk was,
in 2015, also criticised for its “blasé approach” to encrypting customer
data.

Of the matter, Trent Telford, CEO at Covata, said: “The data was stolen
years ago and hackers used software to repeatedly attempt to login to the
O2 accounts, seemingly with considerable success. If the information had
been put through robust encryption at creation, it would have simply been
an unusable mass of unreadable data.”

And according to Ross Brewer, VP and MD of EMEA at LogRhythm, this is a
clear example of the collateral damage caused by stolen credentials. The
hackers used a technique known as credential stuffing, which sees criminals
use software to repeatedly attempt to gain access to customers’ online
accounts using stolen login details.

“Credential stuffing will undoubtedly become a bigger threat over the next
few years as it becomes easier for hackers to get their hands on personal
information dumped on the dark web,” Brewer said. “As organisations become
better at blocking traditional brute force attacks, hackers are changing
their tactics, using automation tools to determine which, out of all the
credentials they have, can unlock the doors to more confidential and
sensitive information.

"This breach should act as a warning to businesses not to rely solely on
traditional perimeter tools, which won’t detect a 'seemingly normal' log-in
attempt. Previously hackers have had to spend time and effort working out
which stolen credentials are valuable, but they now have the tools to
identify these instantly, and businesses need to be prepared to be targeted
much more successfully."

It’s more important than ever, he explained, that businesses understand
that data will go to places where it can’t be controlled. It needs to be
protected from the ground up, which should involve users having to pass
authentication checks every time they wish to gain access.

Telford added: “Of course, the story also highlights the need for consumers
to regularly change their passwords. Despite its age, the data was still
relevant. It’s quite probable that the login details will work on accounts
with other companies too. Consumers often view gaming websites as
innocuous, believing that a hack wouldn’t have far reaching ramifications,
but cybercriminals are happy to play the long game. They target websites
likely to have weak encryption, enabling them to take the information and
use it elsewhere. Ultimately, while organisations undoubtedly have a duty
to secure data, consumers should still remain vigilant and take steps to
protect themselves.”

Most importantly, With the European Union General Data Protection
Regulation (GDPR) coming into effect in May 2016, businesses have just
under two years to change data privacy policies in order to ensure
compliance – and get to grips with reporting data breaches in a timely
manner.

“Often organisations wait to inform customers of a breach, but under the
GDPR companies will be required to notify national data protection
authorities of a serious data breach within 72 hours," said Eduard
Meelhuysen, VP EMEA at Netskope. "In certain cases, businesses will also be
required to notify affected individuals so they can take necessary
precautions and remain vigilant to cyber criminals making use of their
compromised data.

"Many businesses may initially struggle to comply with such strict measures
but this latest cache of stolen data only emphasises the importance of
identifying and reporting not just the breach itself, but also the data
most likely to have been affected, as quickly as possible. If those
individuals affected by the initial XSplit breach had been warned of the
breach in good time, they may have been able to change log in details
quickly for any sites which they accessed with the same passwords.

“With many O2 customers wondering if their data are still available for
sale on the dark web now, businesses must wake up to the need for a fast
response once data have been compromised. In particular, as more data are
stored off-premises, organisations need to ensure the correct security
controls are in place, remain vigilant to unusual user behaviour and take
active measures to secure data – especially in the cloud.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160727/93e9a222/attachment.html>