BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Orange data breach underlines need for encryption, say experts

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 9 May 2014 13:36:08 -0600
http://www.computerweekly.com/news/2240220378/Orange-data-breach-underlines-need-for-encryption-say-experts

The theft of 1.3 million French customer records from mobile operator
Orange, underlines the need for organisations to encrypt data, say security
industry representatives.

This is the second time the French branch of the company has been hit by a
data breach, with 800,000 customer records stolen in January.

It is the latest in a string of breaches involving customer data, with
victims including US retailers Target and Sears, and Vodafone Germany.

The company has not admitted the data was not encrypted, but a warning that
the stolen data may be used for phishing purposes indicates the data was
stored in clear text.

In the latest breach, attackers are believed to have accessed a database of
customer details including name, email address, phone number, internet
service provider, and in some cases, date of birth.

Orange France discovered the attack on 18 April, but reportedly delayed a
public announcement of the breach to assess the damage, repair its systems
and inform affected customers.

“It is worrying that the details of such a large number of customers were
apparently unencrypted,” said Steve Smith, managing director of data
security firm Pentura.

“The company has stated that the data has already been used in phishing
attacks, to try and trick people into revealing further information,” he
said.

According to Smith, the breach highlights how critical it is for businesses
such as retailers and telecoms firms to encrypt the volumes of consumers’
personal data they hold.

“Otherwise such databases are potential goldmines for hackers,” he said.

George Anderson, director at security firm Webroot, said phishing remains
the most prevalent attack. According to the firm's research it accounts for
more than 55% of successful breaches.

“Victims just do not realise how sophisticated these attacks now are. Most
phishing sites are ‘live’ for just a few hours and the phishing attack is
often indistinguishable from genuine communications and requests,” he said.

Anderson said customers of Orange France should remain vigilant and
double-check the source of any emails, unknown phone calls and SMS messages.

“Businesses have a duty to remain vigilant and be highly responsive in
warning their customers of any risks as soon as they occur, because even
the smallest incident opens the door to a cyber attack,” he said.

Tony Caine, European vice-president and general manager for HP enterprise
security products, said the frequency and close proximity of the attacks
also demonstrates the importance of a layered security infrastructure.

“While the attack has now been resolved, there is no telling how long the
adversary had already been inside Orange’s systems,” he said.

According to HP research, it takes 243 days on average for an organisation
to detect a breach.

Such breaches are becoming increasingly common, particularly in France,
where companies typically experience 26 successful attacks a week,
according to HP research commissioned in 2013.

The study also found that the average annual cost of cyber crime for French
businesses was £3.18m.

The average cost of the worst breach for large UK organisations is £600,000
to £1.15m, up from £450,000 to £850,000 a year ago, according to the 2014
Information Security Breaches Survey.

The report, launched at Infosecurity Europe 2014 in London, was conducted
by PricewaterhouseCoopers (PwC) and sponsored by the Department for
Business Innovation and Skills.

The cost of data breaches for smaller businesses with fewer than 250
employees has roughly doubled to between £65,000 and £115,000, up from
£35,000 to £65,000 a year ago.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: