SECURITY EXPERTS have spoken out about the hack on UK mobile operator Three, accusing the firm of "corporate blindness".
Three confirmed news of the attack on Thursday, revealing that hackers accessed its systems using an employee log-in, potentially putting the personal data of six million customers at risk.
Security firms have been quick to respond to the TalkTalk-like hack, saying that the firm was probably "waiting for a major breach" before taking steps to improve security.
François Amigorena, CEO of IS Decisions, said: "This is the umpteenth time a major company has suffered a data breach as a result of an employee log-in falling into the wrong hands.
"eBay, Sony, Sage and other large corporations have suffered similar fates recently, and it seems that most organisations are waiting for a major breach of their own before doing anything to improve their security, which is the worst way to do things."
Intercede CEO Richard Parris agreed. "The news of yet another security breach, this time at Three Mobile, makes depressing reading and it seems to be a story without an end," he said.
"These sort of breaches, whether carried out by employees, customers or third parties, all appear to have something in common: fundamentally insecure approaches to identity, credential and application management."
Parris explained that "slavish devotion to short-term margin and revenue growth" is leading to "corporate blindness" in companies like Three.
"The risks are well known, and the solutions are available, but rather than sort the issue, C-level executives and board members the world over simply hope their company isn't next on the hit list," he said.
Dan Panesar, VP of EMEA at Certes Networks, went so far as to say that the entire industry now needs to shift to a "zero trust" model with user data which assumes that every user can be compromised.
"The only way to halt such breaches is for the industry to rethink trust. The industry needs to adopt a 'zero trust' model in which it is assumed that every user might be compromised, and that no user is implicitly trusted," he said.
"Any user might be a hacker in disguise. Organisations must adopt a ‘need to know' access strategy, meaning users can only access the data they need to do their job.
"This means that when, not if, a hacker does pass a company's outer defences, as has happened time and time again, they do not have free rein over the systems of a company holding the personal data of millions of customers."
David Kennerley, director of threat research at Webroot, likened the attack to TalkTalk's 2015 breach, and criticised the firm for having to learn of the hack via a customer.
"This attack has echoes of the breach TalkTalk suffered and highlights the fact that organisations are still not learning from the mistakes of their peers," he said.
"A recurring theme were are seeing with these breaches is that the organisations aren’t discovering them first. In Three's case it was alerted when customers complained of scam calls, and earlier this week AdultFriendFinder discovered it had suffered an attack only when details were leaked online.
"All companies, especially those dealing with sensitive customer data, must balance their security resources against their risk tolerance, and look at threat intelligence solutions that provide the greatest scope of protection.
"One thing is clear: the rate at which these breaches occur cannot be tolerated, and all organisations need to assess whether their customer data really is secure." µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe