Head Group Security
"Never again."
Persons unknown have misappropriated Swisscom customer information classed as "non-sensitive personal data" under data protection laws. Philippe Vuilleumier, Head of Group Security, explains what happened, how the theft of sensitive data was prevented and how all data is going to be better protected from now on.
Roger Baur, 7 February 2018
The details of around 800,000 Swisscom customers were stolen. What happened exactly?
An unknown party used the access rights of a sales partner to gain unlawful access to customer information. That is, the names, addresses, telephone numbers and dates of birth of customers, as required for customer identification purposes. This information is classed as “non-sensitive personal data” under data privacy laws, since most of this information is already in the public domain or available from list brokers.
Was it a hacker attack?
No, the login and password were not hacked. Last September, a sales partner’s access was misused to covertly access the data unnoticed.
Why do sales partners have access to this data in the first place?
Sales partners sell our products and need access to this data to be able to advise our customers, amend their details and conclude new contracts.
Was sensitive data such as payment details affected?
No, sensitive data such as passwords and credit card numbers has always been subject to a higher level of security. This data was not accessible. The stolen data was of an innocuous nature, of the kind typically entered voluntarily in directories or made public on social media. Nevertheless, what happened is regrettable. After the fact, we realised that our technical measures had been insufficient to prevent such a breach.
"No, we currently have no information about the perpetrator. We are however working closely with the sales partner involved and are examining all our legal options."
Do we know what happened to the copied data and who the perpetrator was?
No, we currently have no information about the perpetrator. Our investigations to date have revealed that a French IP address was used. We are however cooperating closely with the sales partner involved and are examining all our legal options. The Federal Data Protection and Information Commissioner has also been notified. However, we consider it safe to assume that the information not been used – so far, no increased activity has been recorded on any of the lines concerned. Customers have therefore not suffered any damage.
How do customers find out if they are affected and how can they protect themselves?
Customers can simply send an SMS to the free 444 number with the text “Info” to find out whether their details were among the stolen data. Fixed network and business customers have been notified by e-mail and letter. We recommend that affected customers use the free Callfilter to block unsolicited advertising calls. We are confident that cold calling is the worst thing that could happen as a result of this breach.
How serious is this incident for Swisscom?
Given that this information is often provided voluntarily in telephone directories, on social media or when taking part in competitions, it is, for the most part, also freely available to list brokers. That being said, this type of thing should never happen at Swisscom. We greatly regret the incident - it falls short of the high standards to which we hold ourselves. We have now taken all steps to ensure that an incident of this kind will never happen again.
What steps have been taken?
We took immediate action to greatly tighten our internal security measures to prevent such an incident from ever happening again. Both sensitive and non-sensitive personal data is now better protected: Access by partner companies will be monitored more rigorously and an alarm triggered immediately if anything irregular occurs. In fact, our systems no longer permit high-volume data queries. Further precautions will be introduced in the course of the year.
No sensitive data was actually breached in this case. But what measures is Swisscom taking to protect the really sensitive data?
We indeed invest a lot of money in our security, the security of our data and continuously improve this protection. Measures include our own “red team”, our in-house hackers, and our highly successful “Bug Bounty Programme”. This involves us inviting external security experts to put our systems through their paces and notify us of any weaknesses they find. In return, they receive a bonus or bounty. We are the first company in Switzerland to have launched such a programme. It gives us a good idea of what kind of attacks to expect. And believe me, there are more of them than you can possibly imagine: 3.6 million a month – that’s more than one attack every second.
And the trend is on the rise?
Absolutely! Organised crime has long realised that a lot of money can be made online without too great a risk, quite literally without getting their hands dirty. This is why we are doing our utmost to continuously improve security for our customers in cooperation with the authorities, partners and our customers themselves. Incidentally, also with new products: in spring, we will be launching “Internet Guard”, a free security filter that warns you of dangerous websites before you visit them.
Profile
Philippe Vuillemier has been Chief Security Officer at Group Executive Board level since 2015 responsible for all security issues at Swisscom.