Swiss telecoms giant Swisscom has admitted suffering a data breach late last year which exposed the personal details of around 800,000 customers to unauthorized parties.
The company, which is majority-owned by the government, claimed that the intruders accessed the data via a sales partner last Autumn.
Most of those affected were mobile customers, although a “few” fixed network subscribers were also hit. The number of breached customers represents around 10% of the entire population of Switzerland.
Customers’ names, addresses, telephone numbers and dates of birth were compromised. Although Swisscom maintained this data is “non-sensitive” it would be enough to give fraudsters a useful start to help craft convincing follow-on phishing attacks.
That said, the firm has claimed no such activity has affected customers as yet.
“Swisscom discovered the incident during a routine check of operational activities and made it the subject of an in-depth internal investigation,” the company continued.
“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident. Rigorous long-established security mechanisms are already in place in this case.”
After discovering the incident, Swisscom said it blocked the offending partner’s access rights immediately. It promised to introduce two-factor authentication for all sales partners this year, put in place systems to raise the alarm in the case of any unusual activity and make it impossible to run high-volume queries for all customer info.
Ilia Kolochenko, CEO of High-Tech Bridge, argued that security exposure via partners is still a widely unacknowledged problem.
“Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third-parties. Cyber-criminals won't assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels,” he explained.
“However, the good news is that we see more and more companies who rigorously implement, for example, vendor risk assessment policies now, to prevent such risks. Swisscom's efforts to mitigate and investigate the breach are laudable, but they won't really help the victims.”