It has been revealed that O2 customer data is being sold by criminals on the dark net. The data, which includes names, phone numbers, email addresses and passwords, appears to have been obtained by hackers logging onto O2 accounts using credentials initially stolen from gaming website XSplit in November 2013.
At the head of the debate is the fact that the data hadn’t been fully encrypted – and that O2 should have learned from the numerous other firms that recently felt the burn for the same reason. For example, TalkTalk was, in 2015, also criticised for its “blasé approach” to encrypting customer data.
Of the matter, Trent Telford, CEO at Covata, said: “The data was stolen years ago and hackers used software to repeatedly attempt to login to the O2 accounts, seemingly with considerable success. If the information had been put through robust encryption at creation, it would have simply been an unusable mass of unreadable data.”
And according to Ross Brewer, VP and MD of EMEA at LogRhythm, this is a clear example of the collateral damage caused by stolen credentials. The hackers used a technique known as credential stuffing, which sees criminals use software to repeatedly attempt to gain access to customers’ online accounts using stolen login details.
Read more on cyber crime:
- Tricks of the trade to avoid cyber scammers
- Eight ways British SMEs can fight hackers and prevent cyber crime
- Ashley Madison hack could be hugely lucrative, but that’s not the only thing to fear
“Credential stuffing will undoubtedly become a bigger threat over the next few years as it becomes easier for hackers to get their hands on personal information dumped on the dark web,” Brewer said. “As organisations become better at blocking traditional brute force attacks, hackers are changing their tactics, using automation tools to determine which, out of all the credentials they have, can unlock the doors to more confidential and sensitive information.
“This breach should act as a warning to businesses not to rely solely on traditional perimeter tools, which won’t detect a ‘seemingly normal’ log-in attempt. Previously hackers have had to spend time and effort working out which stolen credentials are valuable, but they now have the tools to identify these instantly, and businesses need to be prepared to be targeted much more successfully.”
It’s more important than ever, he explained, that businesses understand that data will go to places where it can’t be controlled. It needs to be protected from the ground up, which should involve users having to pass authentication checks every time they wish to gain access.
Telford added: “Of course, the story also highlights the need for consumers to regularly change their passwords. Despite its age, the data was still relevant. It’s quite probable that the login details will work on accounts with other companies too. Consumers often view gaming websites as innocuous, believing that a hack wouldn’t have far reaching ramifications, but cybercriminals are happy to play the long game. They target websites likely to have weak encryption, enabling them to take the information and use it elsewhere. Ultimately, while organisations undoubtedly have a duty to secure data, consumers should still remain vigilant and take steps to protect themselves.”
Most importantly, With the European Union General Data Protection Regulation (GDPR) coming into effect in May 2016, businesses have just under two years to change data privacy policies in order to ensure compliance – and get to grips with reporting data breaches in a timely manner.
“Often organisations wait to inform customers of a breach, but under the GDPR companies will be required to notify national data protection authorities of a serious data breach within 72 hours,” said Eduard Meelhuysen, VP EMEA at Netskope. “In certain cases, businesses will also be required to notify affected individuals so they can take necessary precautions and remain vigilant to cyber criminals making use of their compromised data.
“Many businesses may initially struggle to comply with such strict measures but this latest cache of stolen data only emphasises the importance of identifying and reporting not just the breach itself, but also the data most likely to have been affected, as quickly as possible. If those individuals affected by the initial XSplit breach had been warned of the breach in good time, they may have been able to change log in details quickly for any sites which they accessed with the same passwords.
“With many O2 customers wondering if their data are still available for sale on the dark web now, businesses must wake up to the need for a fast response once data have been compromised. In particular, as more data are stored off-premises, organisations need to ensure the correct security controls are in place, remain vigilant to unusual user behaviour and take active measures to secure data – especially in the cloud.”
Share this story