Three’s Two Big Mistakes Has Just One Likely OutcomeSecurEnvoy 14/04/2017 Company News
Maybe one of biggest revelations to mobile operator Three, other than that they must suffer number related puns for the rest of their existence, is that their IT security policies have been proven not to up to scratch.
On the 21st of March 2017, it was revealed by the UK newspaper The Guardian, that when some customers accessed their online accounts, they were able to see the name, address and contact details of other Three customers. The typical sound-bite from Three was that this was only exhibited across a small minority of accounts and that no payment information as revealed. Good public relations it may be, but soon an irrelevant argument in the eyes of the Information Commissioners Office (ISO) with personal data becoming just as sensitive under the General Data Protection Regulation (GDPR).
It’s Deja Vu
This isn’t the first time that Three has attracted scrutiny for its lacklustre approach to protecting personal data. In November of 2016, Three discovered that over 130,000 customer accounts had been accessed by an unauthorised party. An opportunistic group had discovered that the system used to order and process customer handset upgrades was protected by a simple username and password, leaving the system at the mercy of the battle between administrators and users for secure passwords.
Once again Three pressed the sound-bite button, declaring that payment information was never disclosed and that the perpetrators only ordered free upgrades and changed the delivery address to their own. Albeit true, the GDPR would consider this breach to be severe. As a data processing system, the regulation declares that its confidentiality and integrity must be maintained by an organisational or technological control.
The Death of Risky Businessman
A risk assessment, also known as a data protection impact assessment (DPIA) under the GDPR, is expected to be carried out in scenarios of large scale data processing. Whilst there is no definitive measurement, 130,000 is arguably large and most likely warrants this activity. Its purpose is to reveal areas of undue risk to data subject’s personal data, for example where a poor employee password exposes an entire data processing system to the internet.
The banking industry, most large IT providers, some public-sector services and most employers with VPNs have taught us over the past 3-4 years that reliance on a username and password is a level of risk that they are not prepared to bear. Rather than fight against user’s inability to remember strong passwords, using two-factor authentication suitably obfuscates their credentials rendering them useless if stolen. If Three’s itchy PR-button fingers do not consider the feeling mutual, maybe the GDPR can convince them otherwise. With administrative fines, up to 4% of annual global revenue or €20,000,000 and the possibility of individual liability lawsuits from data subjects, the cost of a such a solution becomes much more attractive.
As the saying goes, bad news comes in three, especially if you refuse to heed the examples of the past.