On November 18, 2016, UK mobile operator Three admitted millions of its customers’ private information was at risk after hackers broke into its security system. The company said hackers used an employee login to access its customer upgrade database, leaving nine million customers at risk.
A spokesman for Three detailed that over the last four weeks, the company had experienced an increasing level of attempted handset fraud. This had been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices. In order to commit this type of upgrade handset fraud, Three acknowledged that perpetrators used authorised logins to its upgrade system.
The hackers then accessed customer accounts and upgraded them in order to intercept the new phones and sell them on.
DarkMatter commentary and insights
Three only discovered the breach, which occurred on the evening of November 17, 2016, after customers filed complaints claiming that scam callers were attempting to gain access to their bank accounts.
The fact that internal monitoring did not detect there may have been suspicious activity with respect to the functioning of the upgrade system is a shortcoming. In many ways we believe the insider threat looms larger than outsider threat given organisations typically shore up their defences tailored to mitigating threats emanating from outside of the organisation ahead of vetting and securing internal procedures, processes, and people.
DarkMatter believes insider threats need to be regarded and considered with the same rigour as external ones, and that multi-factor authentication with diligent asset management of authentication tokens ought to be implemented, particularly in the case of retailers that manage inventories of physical or virtual assets.
Organisations need to re-visit their system of logon credentials, with the view to implementing multi-factor authentication to accounts, so that even if a password is stolen and access to a system gained, hackers cannot access any accounts or transactions without the corresponding token or biometric for the account.
We applaud the UK’s Chancellor of the Exchequer, who has been especially vocal on matters related to the threat cyber crime poses to the British economy and indeed the welfare of regular people, and the requirement to actively defend against it. In his latest comment earlier this month he stated, “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future. Because without that trust, faith in the whole digital edifice will fall away.”