by Dan Bieler and Ed Ferrara

Mobile Operator Vodafone Is In The Midst Of A Security Breach Crisis

Vodafone Germany is facing a crisis brought on by its second major security error of 2013. Earlier this year, Vodafone failed to inform customers about an insecure setting on its widely deployed Easybox modem for several months. That setting allowed hackers to take over the PCs of Vodafone DSL and Wi-Fi customers. Now Vodafone has become the victim of another cyberattack. The result: the exposure of the records of more than 2 million customers — data that includes customers’ date of birth, address, and bank account information. Vodafone has engaged law enforcement and believes that the attack was perpetrated by someone with “deep insider knowledge.”

The fallout from these security missteps is likely to be felt for some time in the form of additional customer churn. The degree of the damage will depend on the number of stolen identities and whether any reports of illegal banking transactions appear in the press and social media. Of course, Vodafone is not the first telco to be attacked, and it won’t be the last. But the scale and depth of these security “slippages” could have far-reaching consequences.

Public Disclosure Was The Right Thing To Do

Vodafone did the right thing to go public fairly quickly. However, this episode leaves many questions open as to how such a security breach could occur. But the real risk of such telco security blunders is that they undermine the reputation of telcos as trusted and secure providers of emerging services like home-area networking, connected cars, online healthcare technology, smart grids, and similar offerings. As the traditional telecoms business declines, these emerging service areas form one of the few glimmers of hope for telcos to generate revenue growth in the future. Telcos do have the opportunity to play the role of ecosystem manager — but acting as a trusted and secure provider is a prerequisite for telcos to even have a go at this opportunity.

Telcos Are Not Immune To Cyberattacks

It’s all the more important for telcos to boost their security operations and bring the security standard to the level of other sectors like financial services. At this stage, we believe that many telcos pay too little attention to security as a business-critical issue. Malware analytics and incident handling are quite often treated as an add-on to classic network management. A certain hubris exists in the industry, which thinks that telcos are better than other companies at detecting and stopping these types of attacks. Events like Vodafone’s recent breach prove that telcos are just as susceptible to cyberattack as any other organization.

And although the number of attacks on mobile platforms has been relatively small compared with attacks on traditional workstations, the “mobile-first” momentum for both consumers and business users will add millions — or billions, if you count M2M — of devices as new endpoints that need to be secured. Hence, any sign of security complacency by telcos is foolish and undermines the long-term business potential of the entire sector.

What It Means

We believe that telcos should do the following to make their security strategy more comprehensive and professional:

  • Employ real-time data analytics techniques to monitor irregular and suspicious activities. This type of monitoring highlights misconfigured and unprotected devices, prepares for types of attacks that have yet to surface, and paints an end-to-end security picture for customers via elaborate dashboards and a unified security infrastructure.

  • Control customer data more effectively at the database level. Google, for instance, breaks up customer data and stores these “data shards” on different servers (and even in different data centers). Without the right key, an attacker cannot make sense of the data shards.

  • Centralize security coordination. Cross-coordination between telcos by a neutral association could help mitigate malware and phishing outbreaks. Moreover, telcos could benefit from best-case security strategies.