The attacker was able to lift customer names, addresses, bank account numbers and birth dates from a database on the company's internal network. However, phone numbers, credit card details, PINs and passwords were all safe. The carrier said that as a result, the data would be useless in higher-level crime like bank account fraud.
"Vodafone deeply regrets the incident and apologizes to all those affected," the operator said in a statement reported by the BBC.
Vodafone’s response is not equal to the magnitude of the situation, some said. “This is another example of the fallout from the NSA leaks which has added an unimaginable amount of fuel to an already roaring fire,” said Caitlin Johanson, senior solutions architect at Veracode, in a comment to Infosecurity. “Aside from the Verizon deal, Vodafone was also named as one of the telecom companies supplying data to Britain’s spy agency. With these two huge moving parts, there is no downplaying a breach, and there is no use in saying that the data is unusable, that’s just plain silly.”
The carrier did say that a suspect has been identified and his home has been searched. Worryingly, it also intimated that the attacker was an employee: "This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company," it noted in the statement.
“This attack is particularly surprising given strict German protection methods around auditing of data access and encryption of sensitive information,” said George Anderson, senior marketing manager from Webroot, in an emailed comment. “It highlights how easy it can be for customer data to fall into the wrong hands – even in such precautionary environments. An insider threat can have equally bad – if not more far-reaching – consequences than external ones.”
Insider-driven or not, the size of the breach and organization involved point to deep flaws in security policy, according to Matthew Standart, threat intelligence manager at HBGary.
“What can be stated any time there is a successful breach of this magnitude, is that most if not all security controls have failed at the victim organization,” he said, speaking to Infosecurity. “These controls include perimeter security, internal network security, endpoint security, data security and possibly physical security, based on the comment made regarding possible ‘insider knowledge.’”
But the main concern now of course is what dangers may follow the capture of the information: what will the criminals do with it? David Harley, senior research fellow for ESET, said in an email to Infosecurity that the facts for now do seem to indicate that not enough data have been exfiltrated for a direct attack on customers en masse. However, there is the risk of some kind of data aggregation attack where the information that has been shared is used to give credibility to a phishing-type email.
“In general, the weakness of generic phishing is that the attacker doesn't have information specific to potential victims, so emails [are] addressed non-specifically to 'Dear Valued Customer' or something similar,” he explained. “If a victim reads an email with his actual name and minimal account details, even a phish-savvy customer may be more inclined to trust it. However, it's a lot more effort to mail out semi-personalized phish messages in any quantity, and I'm not sure how likely it is that a scammer will go to that trouble.”
However, if they are willing to go to the trouble, the success rate could be notable. “Many people don’t realize the level of sophistication phishing attacks can reach,” Anderson said. “Some phishing sites are only live for a few hours and are almost indistinguishable from genuine requests. What’s more, they are often very targeted – accessible only from a single link included in a particular email.”
While customers have been notified and told to watch for unusual activity and suspicious messaging, the carrier may not have acted in time to prevent consequences. It said that it had been asked by police to delay notifying customers to avoid compromising an investigation into the matter – and didn’t mention when the attack actually took place.
As the victims and industry-watchers wait to see how the incident plays out, there are lessons to be learned, of course. For one, mobile devices have essentially become small computers, housing email, important files and contacts. Users turn to them to browse the internet, do online banking and for entertainment. The issue is that the security levels expected for mobile devices tend to be much lower than for PCs.
“As for insider attacks, there's no totally effective way of preventing someone with privileged access misusing that access, as the NSA will testify”, Harley said. “However, a business can minimize the risks by being all the more careful about vetting people in roles that allow them such access, ensuring that people who don't need that access don't have it (for instance, when they change roles) and so on. Obviously, the use and diligent maintenance of technical controls like internal firewalling also has a bearing. Clearly, not all attackers are on the outside.”
Vodafone customers should, of course, change their security details on the accounts affected. They should also do that by phone, Anderson cautioned, just in case the PC is infected, and run additional external security scans and checks on their machines.
And, as ever, users should be skeptical about all emails asking for sensitive information and revalidation of account information, and assume that any links are likely to be malicious.