Mobile Provider Data Breaches: Know Your Risks

Last week, AT&T reported the latest in a series of high-profile data breaches. The company announced that approximately 9 million customer records, including names, email addresses, phone numbers and account numbers, were stolen from a third-party marketing firm that had been given access to the data by AT&T.

How do these large-scale data breaches happen?

In several recent cases, criminals targeted marketing firms that provide advertising to mobile carriers or that develop campaigns for mobile users. In the AT&T case, it was noted that the stolen data included eligibility for phone upgrades, making it reasonable to assume that the data breach was related to customer marketing. AT&T gave its customer data to a marketing firm to sell upgrades. The marketing firm was breached.

In other cases, companies that display ads on mobile devices have suffered significant data breaches exposing millions of customer records. In all of these cases, criminals did not target the mobile provider itself, but the third-party agency. Mobile providers typically have strong cyber security practices; the third parties they share your data with may not, making you vulnerable.

What are the risks from mobile data breaches?

Mobile data breaches can carry a particular risk for customers. As reported by Axios, criminals can use personal data from these breaches to launch SIM-swapping attacks, where a criminal clones a SIM card and then uses it to steal multifactor authentication codes. Ordinarily, a criminal who steals your username and password cannot access your accounts if you have two-factor authentication that sends a confirmation code to your phone. If the criminal can clone your phone number with information stolen from a data breach, they can then get the code and access your accounts.

In other words, criminals can defeat two-factor authentication, log in to your accounts and steal or wreak havoc at will. If you see authentication code requests that you did not initiate, log in to the affected accounts immediately and change your password, because it could mean someone is trying to gain access.

A lower level of risk comes from the exposure of phone numbers and email addresses. These will be sold to criminals for spam emails and phishing attempts. If you are a high-value target for hackers, you need to change your passwords and your multifactor authentication method.

What should I do to protect myself from criminal misuse of my data?

Assume that some of your personal data has been compromised. More than 74 million personal records have been posted to the Dark Web so far in 2023, according to Cyble. Next, think like a criminal.

Criminals gather several types of personal information to carry out hacks and phishing attacks. They need your name, address, email and phone number to start. Any additional information they can gather, including passwords or usernames, makes it easier for them to launch an attack.

The best defense is to change your passwords frequently and to be vigilant. Set up two-factor authentication with immediate alerts to your mobile device. The safest way to do this is to have a separate email that you use only for authentication that you never share or use for any other purpose. Have alerts sent to you whenever there is an authentication request sent, rather than having text alerts sent directly to your phone. In many cases, this thwarts SIM swapping.

If you have significant concerns, you may need to get a new phone number, which renders information stolen from data breaches useless. This poses a significant challenge for most people. Acquiring a low-cost second phone that you use solely for authentication can solve the problem without requiring you to change your primary number.

Whenever you can, opt out of data-sharing programs with your mobile provider. They will attempt to discourage this, but doing so removes one avenue that criminals can use to compromise your cyber security.

Are you vigilant with your personal data? Are you vigilant with data on the job? Would you be able to stop a phishing attack launched by a phone call from a criminal? Explore our CSI Protection Certification to develop the skills you need to stop cyber criminals at home and on the job.

New National Cybersecurity Policy Is a Step, Not a Solution

The new National Cybersecurity Policy from the Biden Administration holds lofty ideas, but little that is actionable. As reported by The New York Times, the policy, unveiled on March 2, seeks to push greater responsibility for cyber attacks and data breaches toward those who own, operate or use online infrastructure. The policy also outlines a formal strategy for the United States Government to take action against professional cyber criminals and state-sponsored hackers.

With regard to national standards, the new cybersecurity policy is a long-overdue step in the right direction. One of the greatest challenges in convincing organizations to adopt stronger cyber security has been a lack of regulations. In cases where Federal or state governments have mandated security rules, adoption has been swift. Both the Gramm-Leach-Billey Act, which mandates protection of consumer financial data, and the California Consumer Privacy Act, which gives individuals the right to delete their data, as well as the European Union’s General Data Protection Act led to widespread changes in the ways businesses of all sizes collected, protected and stored personal data.

Biden’s Cybersecurity Policy Is Not Regulation

Many cyber security professionals have argued for national standards for years, yet this is where the Biden National Cybersecurity Policy comes up short. Outside of executive orders that narrowly target some Federal agencies, there is no mechanism to create or enforce mandates. Congress would need to pass legislation outlining standards and penalties for noncompliance. There also remains a question of who would investigate and enforce national guidelines.

Simply setting those guidelines will be difficult, given the ever-changing nature of the Internet and the software that powers it.  Internet infrastructure developers have fought standards and regulation on the grounds that mandates deter innovation. A balance must be struck between the needs of a better Internet and a safer one, and any policy that emerges will do well to require a reasonable level of security to exist in new tools and services without stifling innovation solely to deter cyber attacks.

What Does the Policy Mean for Business Owners?

Absent Congressional action to set standards and mandate compliance in the private sector, the new National Cybersecurity Policy has no immediate functional impact on any private or state-operated organization’s cyber security. However, this policy, taken with the Federal government’s more aggressive stance on common-sense cyber security practices, suggests that more executives could be found liable for cyber security lapses until formal regulations are passed.

The new policy may also embolden cyber insurance underwriters to deny claims if, in their assessment, reasonable care has not been taken to protect systems and data.

This policy is likely to lead to several years of uneven enforcement, insurance denials and court challenges that will ultimately prompt Congress to step in and pass broad-based rules. Until then, business leaders should understand that the burden of preventing cyber attacks continues to shift toward individual organizations. In this environment, good cyber security practices and cyber security employee training are more important, and potentially more cost effective, than they were before.

Gartner Survey Explains Why Cyber Security Employee Training Fails

Sobering data from Gartner illustrates the shortcomings of cyber security employee training. The company predicts that more than half of cyber attacks by 2025 will result from :lack of talent or human failure.”

This is in spite of ongoing efforts by businesses to provide employee training on cyber security. What stands out is the reason why that training fails.

According to their survey of 1,310 employees in mid 2022, “69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months.” More concerning, 74% said the would ignore cyber security practices “to achieve a business objective.”

The problem is clear: employees may know an organization’s rules for cyber security, but they willingly ignore those rules to get their jobs done. As long as this situation persists, cyber criminals will have the advantage they need to carry out attacks.

Cyber Security Employee Training Must Be Personal and Ethical

Every organization has a to-do list for compliance and a general set of employee rules. Most employees know they cannot treat others unfairly because of their background, race or identity, that they cannot steal from the company coffer and that they have a set time for lunch and breaks. Many employees bend these rules at times, while some bend them pathologically.

When cyber security becomes just another set of flexible company rules, disaster follows. The employee who takes an extra half hour for lunch only harms productivity in the short term. The employee who denies promotions to certain co-workers may trigger a lawsuit. The employee who shares passwords with teammates risks a costly data breach or an intrusion that takes all systems offline.

In all of these cases, organizations tend to train on the whats instead of the whys. Employees learn that they can be suspended or terminated for long lunch breaks, then see if that rule is actually enforced. The same applies to discrimination and cyber security. Employees may understand the consequences of breaking rules, but if they see co-workers getting away with things, or they consider some rules flexible, the training they received is useless.

It should be no secret to organizational leaders that employees behave very differently in their private lives. Most people would not brush off a friend or discriminate against a family member, and they tend to take great care with their personal cyber security. They are motivated to do this because they face lasting, personal repercussions in valuable relationships if they behave selfishly.

Leaders expect this behavior to carry over on the job, but Gartner’s data disputes that belief, painting cyber security as just another obstacle employees try to overcome. This occurs because most cyber security employee training, like other forms of employee training, lays out facts and broad hypothetical situations without asking the question that would really motivate employees: What would your friends and family think if you were responsible for a major cyber security attack?

The answer to that question is the key to effective employee cyber security training. Most people would be horrified and ashamed if their actions caused harm to a friend or family member. They would be similarly ashamed and horrified to have to tell people that they were involved in a cyber attack that made headlines. Those emotions provide a powerful incentive to follow cyber security rules, but they are absent from nearly all of the training programs available. Training based on ethics and personal attitudes toward responsibility delivers better results, because it connects with the protective instincts people practice in their personal lives.

Choose Training That Works

The CSI Protection Certification cyber security employee training program created by Protect Now changes employee attitudes toward security by tapping into their personal desire for safety. Created by cyber security speaker and author Robert Siciliano, this program is empowering and entertaining, and it now qualifies for CE credits for real estate professionals in many states. The program is available via in-person seminars, virtual seminars or through a library of eLearning modules. To learn more, contact us online or call us at 1-800-658-8311.