Lessons from the Swisscom case
The gigantic Swisscom data leak was uncovered during a routine check. Using the access rights of a sales partner, the cybercriminals gained access to around 800,000 customer records. What can other companies learn from this?
IT security expert Marc Ruef, who specializes in the darknet and was a speaker on the opening day of the security trade fair, calls it a super-GAU. Swisscom, on the other hand, emphasizes that the data theft involved "personal data that is not particularly worthy of protection. The names, addresses, telephone numbers and dates of birth of the 800,000 customers were stolen, primarily from the mobile phone business. The incident did not involve any sensitive data such as passwords, call or payment data. It is therefore largely contact data that is publicly available or available via address traders. That may be true, but it still leaves a stale aftertaste.
Instruction in handling customer data
According to the Foundation for Consumer Protection (SKS), Swisscom is playing down the incident. It cannot hide the fact that data leaks occur time and again, and that completely secure protection in the handling of customer data cannot be guaranteed.
The incident is reason enough to once again recall the most important points of consumer protection, which are central in dealing with customer data:
- SecurityCompanies are obliged to apply the greatest possible security when handling customer data. This also applies if third parties are commissioned with data processing or if third parties (e.g. sales partners) are granted access to customer data.
- Data economyOnly as much and as much data may be stored/processed as is absolutely necessary for the provision of a service.
- Transparency and information: It must be ensured that incidents/leaks are noticed immediately and the affected customers are informed without delay.
Consumer Protection is also calling for stricter data protection. According to the organization, it is working to ensure that the relevant principles are included in the revision of the Data Protection Act. Politicians do not seem to be aware of the importance of this, because the data protection revision was put on the back burner by the National Council's government policy committee in January, criticizes the SKS.
What has Swisscom done?
As an immediate measure, the telecom provider writes that the affected accesses of the partner company have been blocked. In addition, various measures are being taken internally to better protect access to such non-sensitive personal data by third-party companies. This is done in particular with the following measures:
- Accesses by partner companies are now more closely monitored, and in the event of unusual activities, an alarm is automatically triggered and the accesses blocked.
- In future, large-scale queries of all customer data will be technically prevented.
- In addition, two-factor authentication will be introduced in 2018 for all necessary data access by sales partners.
(rs)
