Latest EU data leak pushes insider practice to the fore
Mark Bower says organisations still need to raise their game when it comes to internal protections
Possibly the first major breach has emerged since the tough new EU rules on data privacy came into force. Data stolen reportedly includes names, addresses, birth dates, gender, bank sort codes and account numbers for two million applications from individuals seeking to sign up with Vodafone Germany.
The key word here is "seeking". This is likely the kind of web application where customers fill in forms, sending in their credit and bank details to verify their identity. Ironically, while this streamlines a business process or two, it is perfect data for the purposes of committing identity theft.
As far as notification is concerned, Vodafone seems to doing the right thing by being transparent. However, that the breach was of this scale raises questions about how data is being protected in enterprise systems.
This significant breach will certainly have high cost ramifications. Similar-scale breaches at payment processors here in the US, for example, where networks are processing payments, have cost $95m (£60m) to $140m. That's a big slice off a budget at any enterprise.
And it is not just about the fines from the regulators, it's the remediation work: risk analysis and process breakdown discovery, heavy-duty audits, and the cost of revisiting security strategies to ensure customer trust is not further eroded by another attack.
Mobile customers are quick to change providers, so business losses from the revenue associated with two million customers is also a significant financial risk.
Telecoms networks, especially the large players, are a huge target for attackers. They process massive amounts of data on a continuous basis, and much of it is sensitive.
Network provider data flies around everywhere – both inside and outside the enterprise. While the hows and whys of this insider attack have not yet been revealed, many large organisations do fall into the trap of using data-at-rest encryption, which does nothing to protect data in use, in motion, or as it is used by applications.
I suspect that's exactly where this breach took place: tapping into data as it is decrypted (or not) off disk and on the network. Theft by advanced malware sniffing data either in memory or as it travels point to point is common, and of course, it is relatively low-hanging fruit for an insider.
US payment processing and telecoms leaders have adopted a completely new data protection strategy to mitigate these risks – data-centric security which renders any stolen data completely useless to the attacker, while still enabling the applications to function as before, at massive payment-processor and telecoms-carrier scale.
That's a big deal, especially when there is a need to protect data across typical telecoms infrastructure where you'll find all sorts of platforms – HP Nonstop, IBM Mainframe, Open Systems, or legacy and contemporary applications spanning both enterprise, Hadoop and cloud.
What is consistent across these platforms is the data. That's why data-centric security is the new frontier of attack mitigation. Protect the data, not the server or disk. It's the data that attackers want.
The new regulations will put yet more pressure on telecoms firms in the EU and notifications will become more frequent for sure – for those not taking a new approach to data protection.
The good news is the tools are already here to address this risk head on, at scale, and across the entire enterprise or network.
With government standards recognition of the approaches such as NIST 800-38G – Format-Preserving Encryption – even the most demanding organisations have the assurance of independent validation and proofs of security necessary for standards process adoption and for assurance of reducing risk of a breach.
In the meantime, any customer affected should monitor their bank accounts very closely.
Mark Bower is vice president at Voltage Security