What’s the Cost of a Data Breach in Telecoms?

GDPR
What’s the Cost of a Data Breach in Telecoms?

Now that the European Union has passed the General Data Protection Regulation (GDPR) many Communications Service Providers (CSPs) are taking steps to ensure they are ready for the regulations and protected from the risk of a data breach. In general the telecoms industry has been focused on security for a long time but the focus has usually been on building big walls to protect their systems and networks from external threats. However, there is also the internal threat to consider from contractors, employees and vendors.

The data stored in systems across the CSP environment contains significant amounts of sensitive data. They have personal details such as name, gender, age, address, email address and phone numbers. They have financial data such as bank details, credit card information and credit scores. They have location information from mobile devices and usage information such as which applications you use, which websites you visit or which people you call. This makes them a prime target for data thieves who can sell this information for profit.

Some thieves will target the servers with external hacks and this has been successful on numerous occasions. Various CSPs have suffered data breaches over the last few years with the most notable being Talk Talk, a quadplay provider in the UK. They were hacked and the records of around 157,000 customers were compromised including over 15,000 customer’s bank details. The impact of a data breach is far reaching. There is the bad publicity and associated brand damage that reduces your ability to attract new customers. Existing customers lose trust in the brand and often leave as a result thus increasing churn. For businesses on the stock market they have the added impact of watching their share price decline as the news of a breach is publicised. Talk Talk recently announced their annual results for the 2014/2015 financial year. Reports suggest the breach cost them £42m and lost over 100,000 customers in the quarter following the breach. Some reports suggest the financial impact could be greater.

Many local regulators have powers to fine CSPs for data breaches but now the EU has delivered its own regulations in the form of the General Data Protection Regulation (GDPR). This regulation outlines the responsibilities of all business who handle sensitive data of EU citizens, regardless of where in the world that data resides. The big headline is that the EU could administer fines of up to 4% of global revenue or up to €20m, whichever is greater. If we consider the Talk Talk example then the EU would have the potential to fine them around £70m. The good news is that these regulations do not come into force until May 2018 so businesses have nearly 2 years to get everything in place. However, experience tells us that regulatory fines is only half the problem. There is still the financial impact to the business caused by a high profile data breach.

So how can CSPs protect their sensitive data from both external and internal threats? Implementing a decent security architecture is a good place to start to build the defense. Firewalls, database monitoring, tokenization, encryption and access controls all help but if you’re a hacker there’s often a way around these barriers. Get past the big walls and the metaphorical database force-field and there is the treasure in all its glory, ripe for the taking. Another multi-million dollar impact to the business and some embarrassing publicity, maybe even a local regulatory fine and another courtesy of the EU GDPR legislation.

What if you protected the data itself? A hacker could steal the data but it would be meaningless and therefore worthless. By masking sensitive data it can still be useful but protected. Masking can be applied on write so information is masked as it is loaded into the database. In some cases having the individual data visible is necessary for troubleshooting purposes but only by certain individuals. In this case the data can be masked dynamically so that only certain users have access to the real identifiers. Even Database Administrators do not need to see the exact contents of the system. They need to see the table names, column headers, see fields being populated by the right kind of data but even then it could be substitute data, jumbled or random numbers or even ‘xxxxxx’. As long as the length, and in some cases character type, are clear the actual contents could be anything. In GDPR when a business has taken all reasonable steps to render the data useless from a personal identification perspective then there is no need to notify customers of a hack. In fact, only the EU needs to be notified and both bad publicity and fines can be avoided.

The most common applications of data masking for CSPs are in the call centers to restrict customer record visibility. For example, a tier 1 agent can see the customer’s name and address and contact details but does not need to see their full bank details whereas someone investigating some payment or billing issues may need to have this wider view. Informatica’s Dynamic Data Masking solution assigns access rights to users so they can only see the data they need to. This technology sits between applications and databases and although popular for Customer Care could be used in many areas such as network analytics and user behavior where significant amounts of sensitive data are available to many users.

Masking is also used to bring Data Monetization initiatives to life. By applying Informatica’s Persistent Data Masking to a dataset it is possible to create a set of anonymized data. This enables the CSP to maintain the low level granularity without compromising the customer’s data. This data can then be sold to businesses looking to locate new retail outlets, restaurants or to local government to help plan roads and the timing of traffic lights based on people’s movements. This could be a big data platform, a traditional database or you could even put it in the cloud.

Sometimes data is compromised by accident or by people not realizing the power of the information they hold. In my last job I had to get 10,000 customer records as part of a POC to demonstrate the benefits of the solution. I asked for the records and the CSP provided me with an Excel file with the necessary data. There was no masking so I could clearly see all the details of these real customers. The file contained the necessary key fields I needed like MSISDN, IMSI, IMEI, customer type as well as some fields that were useful but not necessary like name, age, gender. When I scrolled a little further I found some more fields – address, employer, job title, bank details, credit scores, etc. The sending of this data was an accidental data breach but would still attract fines from the regulators. This kind of breach is easily avoidable by masking real data to use as test data using Informatica’s Test Data Management solution. Some CSPs use manual techniques to anonymize data which slows up the testing process as people wait for this to happen and every new data set requires new scripts to be created, adding to testing timelines and delaying projects.

GDPR also contains the right to be forgotten which means destroying data at the request of the customer. First you have to be able to identify where that data is. In fact, half the challenge to protecting the data is to know where it is, what it is, who has access to it, how often they access it and how it proliferates across the business. Imagine being able to see where the riskiest data resides and who uses it and how many records they access. Even better if you could identify changes in user behavior e.g. accesses 10 sales records and then one day accesses 10,000. This is exactly what the new Secure@Source solution does and more.

With the clock ticking on GDPR there is a renewed focus on data security for CSPs. With so many potential risks it’s good to know what the cost of a data breach is. For Talk Talk they had 4% of their base impacted and it cost £42m, but with GDPR fines this could be much more. Whilst the true impact will vary by the size of the breach and the size of CSP it is clear we are talking millions, tens of millions and in some cases hundreds of millions. With brand damage, loss of customers and the impact to future customer acquisition how many CSPs can afford to take these kinds of impacts? Imagine multiple data breaches in the same year! Surely investing in data security technology is a no-brainer.