All the latest UK technology news, reviews and analysis
|
|
|
18 Nov 2009
T-Mobile UK has admitted to a breach of the Data Protection Act after its customers' private details were sold to other companies for a profit.
One of the firm's employees sold customer contract expiration details to brokers, who then sold the information to T-Mobile competitors, according to reports. The customers were then contacted just before their T-Mobile contracts were due to end.
The Data Protection Act forbids the selling of an individual's data without their consent.
"T-Mobile takes the protection of customer information seriously. When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner's Office, " a T-Mobile spokesman told the BBC.
The first news of the scandal emerged yesterday when Christopher Graham, the Information Commissioner, discussed the case without naming the company. Graham confirmed that the names, addresses, telephone numbers and contract details were sold to competitors.
O2, Vodafone, Orange, 3 and Virgin had all denied being involved, and it became clear that T-Mobile was the guilty company.
Graham has stated that he intends to prosecute the employee responsible.
Graham Cluley, senior technology consultant at security firm Sophos, said in a blog post that T-Mobile is likely to have lacked important data protection processes.
"One of the central problems here is that many companies are not doing enough to secure the data they hold about every one of us," he wrote.
"The cheapness and availability of devices like USB thumb drives has just made it easier than ever to scoop up large databases and waltz out of the office without anyone suspecting a thing.
"Technology does exist to help intercept and control the movement of personal data inside organisations, but many firms have still not taken even the most basic steps to halt it dead in its tracks."
Latest stories from Communications
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Prince 2 Project Management Professional, Client Facing...
Solution Architect / Technical Project Manager / Corporate...
Solution Architect / Technical Project Manager / Corporate...
Tier 1 Investment Bank seeks an Administrator with an...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Security is a strategy.
Graham is right to point out that security management technology is available, though under-used or incorrectly used. Stories such as this invariably and understandably lead to calls of, ?Something must be done.? Often, the ?something? in question involves companies throwing technology at a problem, such as encryption or applying policies to files to prevent them being e-mailed, saved to disk etc. However, a concentrated and strategic focus on risk management is essential when a company reviews its IT security infrastructure, rather than installing products and hoping for the best. If a company has not taken a strategic approach to recruiting and training staff, and working with a trusted security partner technology will only help it to a limited extent. For example, to mitigate potential risks up front, companies can run checks on a potential employee?s background or decide whether or not certain data should be open to being printed or saved on a removable device by various levels of staff. A disjointed approach, without the backing of partner expertise which concentrates too much on either technology or people, will prove ineffective. Martin Blackhurst Product Manager Redstone Managed Solutions www.redstonemanaged.co.uk
Posted by: Martin Blackhurst - Redstone Managed Solutions 23 Nov 2009
Be Proactive, Not Reactive
This breach is a reminder that organizations should be proactively reviewing employees data privileges to ensure that they only have access to the information that is required to perform their duties. In addition, having database activity monitoring solutions in place will allow companies to monitor sensitive data and issue immediate alerts if inappropriate access occurs. Thom VanHorn, VP of Global Marketing, Application Security, Inc. http://blog.appsecinc.com
Posted by: Thom VanHorn, VP of Global Marketing, Application Security, Inc. 20 Nov 2009
A major concern in the industry
My company has been approached by networks in the past about this problem ? it's a major concern in the industry. There are a range of tactics used to get customer data about the networks people use, their specific accounts and even if they have insurance for their phone. Companies then use this information to contact a customer, offer them a better deal and steal their business ? it?s commercial espionage and theft of data on a massive scale. It also undermines networks providing good services to their customers. The risk is often the ?trusted insider? who goes bad ? and technical security procedures and policies alone won't prevent it. Networks need to diagnose the problem up-stream, getting to grips with their customer data and monitoring how it (and hence the customer base) behaves as a whole over time. It?s important to understand the big picture in terms of your customers' behaviour ? the problem with mobile phone networks is that they have hundreds of thousands of customers. Can you imagine a smaller business failing to know its clients, unconcerned about whether they retain them and not watching for signs of competitors stealing them away? By continuously auditing, monitoring, assessing and diagnosing their client base it's possible to see problems as ? or even before ? they occur. If the technology notices that a particular pattern of standard behaviour starts to become erratic or considerably changes, something might be afoot. We specialise in this kind of monitoring, letting networks know the state of health of their client base and helping to control the conditions that retain customers and protect them from fraudsters. Another tactic used by unscrupulous companies is to use ?Autodialler? machines, which randomly dial phone numbers using smart calculators. They already know the type of number generally owned by each network, then callers use social engineering techniques to find out more about the customer's account and offer what appears to be a better deal and also win the insurance business for the phone. Together this can be very lucrative. The difference between an Autodialler and a data thief is that the Autodialler doesn?t need to enter the company database. Some may say this is fair game but that couldn?t be further from the truth ? left unchecked this situation can develop into a continuous ?churning? of customers, driving prices even lower so service suffers, customers suffer and the businesses involved become difficult to control and manage. It undermines the economic basis for developing good standards by service providers; if the problem grows then the temptation for everyone to do it is overwhelming. We should remember that these businesses employ people, provide taxes for the economy and develop new technologies we can sell internationally. It is not in anyone?s long term interests to engage in this. In the short term the ?sharks? using Autodiallers make vast amounts of money but inevitably someone will try it on their service provider as well. And, so the story goes on....
Posted by: Richard Leary, Forensic Pathways 19 Nov 2009
I'm sure this wont be the last
Hate to say it but im sure this is only tip of the ice burg, Just think of all the data that is being put through all the uk & overseas call centres
Posted by: Jdmave 18 Nov 2009