Telco plays fast and loose with Customer Login data

Posted on January 31, 2014


My desk had the mornings pile of junk mail on it, opened by my PA, which off the back of a late Burns night entertaining customers got short shrift as I cascaded them into the waste paper recycling bin by my desk. My mind still working at getting itself clear of the nights excesses, grateful I was sober enough at 02:30 to break out of the slipstream of my compadres who where hell bent on making a morning of what was already running out of a great night.

As I coaxed my mind out of its crawler gear to focus on the day’s priorities ahead something like a retinal echo bounced an image off some grey matter deep in my cranium that made me glance back into the bin by my desk now engorged with junkmail. No I did not have that much to drink last night, my stomach was rock soldi, and whilst tired I was by no means hung-over. What had caught my lagging eye was an unsolicited promotional mailing booklet from one of our suppliers with both my name and our company name clearly printed on the front. My intent to simply redirect the junk mail to the shredding bag, as we have a company policy that anything with company identifiable information on it gets shredded. Thus I found myself taking the short stroll to the printer rooms shredding bag winning a few more moments grace delaying the inevitable of anything more mentally taxing than shuffling paper around.

What happened on the way to the shredder bag was one of those things you wish you could bottle and sell, my fortune would have been made, and I would have stolen the hangover cure market overnight! Alas these things are elusive and whilst that wistful dream accelerated away down one thought process my complete and undivided attention was captured by the back page of the booklet form our telco call handling service provider Windsor Telecom. I was now fully focused and firing on all neurons.

Read that one again WINSOR TELECOM …. A bunch of Muppets, you may wish to avoid after reading this.

After the usual double and triple checks that all faculties were functioning and reporting correctly along their respective neural pathways, that feedback was within usual tolerances, and no extremities had suffered any unexpected impact or interference, apart from a growing heat under the collar, I returned to my desk with the aforementioned junk mail.

A reprieve I hear you say, some enlightening, must have, cannot resist, business differentiating, competitive edging, new service had caught my eye? Am I going to share with you the intimate detail of one of those elusive 1% pieces of junk mail that actually delivers?

Well let me start by outing it this way, it provided me with the material for this blog, far from a valuable piece of promotional mail, this was perhaps the most blatant and ignorant breach of even the most basic rules of privacy and data protection I have seen for a long time. In the backdrop of the last few months escalation of data breaches across retail and business it comes as all the more shocking that Windsor Telecom remained so unaware, after all they are meant to be an IT company albeit a Telco derivative.

What shocked me out of my stupor was sight of our service login details in large font printed on the back page of said booklet! Combined with the company details and principle contact clearly printed on the front page this represented perhaps the most blatant and ignorant breach of even the most basic rules of privacy and data protection. I don’t know how many customers had been targeted with this same mailshot but I doubt we were alone.

With these login details any individual would have full access to an organisations virtual telephone service. This would include control over the numbers, the routing and mapping of those numbers, and additional data service such as call recording and logging to name just two of the most obvious high risks exposures.

OK I hear you saying its hard copy not digital, unlikely to have a high risk of being compromised, a red herring. How do you think these details got onto the booklet? I doubt the cost of a secure printing facility was used, this is junk mail after all, more than likely the data was email or FTP’d (File Transfer Protocol) or even worse USB’d to the printing agency possibly via a third party marketing agency first. So what we have is 1,000’s of secure customer login details in some form of digital file circulating between 3 organisations, a digital file which I doubt was encrypted or subject to a secure chain of accountability. So they now quiet possibly reside on any number of machines across multiple organisations and individuals. This has worrying ramifications across other areas of security for a Telco service.

All of that is somewhat academic. The crux of the issue is that here is one of the new generation of Software as a Service telecoms providers lacking a complete grasp of their responsibilities in the high risk world of online services. Software as a service (SaaS) providers are an aggregation point for valuable data and a software target for hackers. This is not new and has been broadcasted in mainstream messaging for over 10 years, so there is no excuse for not being aware, see ‘Hidden risks of software-as-a-service’!

Read the UK Governments ‘2013 Information Security Breaches Survey’ conducted by PWC. Some frightening highlights include:

  • 93% if Large organsiations had a security breach in 2013
  • 87% of Small Business had a security breach.
  • 113 is the median number of breaches suffered by each large organization (up from 71 in the previous period)
  • 17 is the median number of breaches suffered by each large organization (up from 11 in the previous period)
  • 57% of breaches suffered due to staff related security breaches (Up from 45%)

Read the executive summary of the report it is frightening. Despite the raised awareness of security the 2012 to 2013 shows increases in BREACHES, not just attacks, these are actual compromises. Increases in failures by organizational personnel as one of the largest risk areas.

We live in an age of Advanced Persistent Threats this is not going to go away and orgnsiations who aspire to provide our services and earn our trust must go further and invest more than ever before, there are no short cuts and only ignominy.

I have written this article because it is time users are made aware of the responsibilities they are placing on SaaS providers and ultimately for the providers to know that the honeymoon was over long ago, play fast and loose with customer data or the integrity of their trust in your services, then expect to be named and shamed.

Windsor Telecom regard yourself as having been put on notice, you have failed, you have breached a trust that will be hard to win back.