Swisscom embarrassed by sensitive data leak

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.swissinfo.ch/eng/business/Swisscom_embarrassed_by_sensitive_data_leak.html?cid=36925042

Switzerland’s biggest telecommunications provider Swisscom has launched a
criminal complaint after tapes containing company data were stolen and
passed on to a Swiss newspaper.

The Neue Zürcher Zeitung newspaper said on Wednesday that it had received
four files of information. Names and contact details of Swisscom clients
and the status of various projects were contained amid more mundane
internal emails arranging barbeques and company cars, the NZZ reported.

Swisscom said it could not yet rule out the possibility that sensitive
client data was contained on any of the tapes that went missing en route to
being destroyed under routine circumstances.

“Swisscom is working on the assumption that the data tapes were taken
illegally and has therefore filed criminal charges against persons unknown
with the [Bern] public  prosecutor,” the company said in a statement.

“Swisscom has also instigated an in-depth review of the procedure used to
dispose of data carriers in order to identify any potential weaknesses.”

The state-owned telecoms firm added that the type of tapes that went
missing, containing back-up files from two of its data centres for the
years 2008 to 2010, had been replaced by more secure hard disks in 2012.

Expanding

The security breach will nevertheless be of huge concern to Switzerland’s
dominant telecoms company that has been expanding its data storage services
in recent years.

With global companies from all business sectors, along with public sector
entities, looking to safely store parts of their rapidly expanding mass of
electronic data with third parties, a reputation for stringent security and
trustworthiness are vital for data storage providers.

In July, against a backdrop of concerns about United States spying in
Europe, former Swisscom boss Carsten Schloter told Le Temps newspaper that
there had been no confirmed thefts of Swisscom data, despite daily attacks
from cyber criminals.

But he added that “there is no such thing as 100 per cent security”.

The data storage business is growing rapidly in Switzerland where companies
can leverage the Swiss traditions of client confidentiality, strong data
protection laws and stable governance.

Switzerland has the second densest data storage capacity per capita in
Europe, according to a recent study by market research consultants
Broadgroup.

But Switzerland has also been no stranger to data leak scandals in recent
years with banking information being sold to foreign governments by
employees blowing the whistle on tax evaders.

The Swiss Data Protection Commissioner’s office confirmed that it was
investigating the Swisscom security breach, but had yet to receive full
details of the transgression.

“We are in contact with Swisscom to determine the exact circumstances of
this incident,” spokeswoman Eliane Schmid told swissinfo.ch. “Swisscom
takes data protection seriously and we are routinely in regular contact
with the company.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.