In a 7 February press release, the £8.4 billion Switzerland-based company acknowledged that in autumn 2017, a malicious actor gained access to Swisscom customer names, addresses, phone numbers, and birth dates. Swisscom labelled this data as “non-sensitive,” noting that sensitive data such as passwords, conversations and payment information was not impacted, and that there was no evidence of additional malicious activity stemming from the breach.
Swisscom emphasised that no systems were hacked, which suggesting the adversary may have stolen the partner's access credentials.
In response to the incident, the company says that it cut off the victimised partner's access, and further improved its security of non-sensitive data by enhancing access control, blocking access following any anomalous activity, and forbidding the execution of high-volume queries for all customer information. Swisscom also plans to institute two-factor authentication in 2018 for any data required by sales partners.
Swisscom explains in its release that third-party partners need access to certain customer data “to enable them to identify and advise customers and conclude or amend contracts with them,” adding that system access for such information is “protected by specific user logins and passwords.”
“The Swisscom breach demonstrates clearly that companies must pay close attention to the cyber-security controls of any organisation that they interact with or are affiliated with. Even if it's just a partner with limited access to data, that's enough to expose sensitive information,” said Fred Kneip, CEO at CyberGRX, in emailed comments. “An open window to a locked house may provide limited access too, but it's still a way in. Organisations must understand that the boundaries of their business now expand to any partner, vendor or customer that touches their network, and that this expanding digital ecosystem creates an exponential extension of their attack surface.”