Tangerine Telecom has been breached, with over 200,000 customer accounts being leaked.
It took a couple of days before they were informed of the breach, most likely by the contractor whose account was compromised (mentioned in the media release).
It’s worth noting that no Credit Card or customer ID data was stolen. Tangerine reports they don’t store either type of data.
Impact
Tangerine is reporting that 232,000 customers have been impacted by the breach.
The following customer data has been stolen “full name, date of birth, mobile number, email address, postal address and Tangerine account number”
Details
They are reporting that the breach was carried out using the credentials of an external contractor. That contractor had access to a legacy database, but all access has now been removed. They have closed the breach and,
We have taken precautionary steps to fully revoke network and systems access for the individual user’s credentials and we have also changed all other team usernames and passwords. Access to the affected legacy database has also been closed.
They have informed the Australian Cyber Security Centre and Office of the Australian Information Commissioner of the breach
Communication
Comms on this one has been pretty good. They got it out fast, and are not burying the incident in bullshit. There is a public statement on their website, the link is on this page under Official Statements.
It’s nice to see a quote from the CEO, Andrew Branson saying they are committed to learning from the incident. It would be even better if they made a statement at some about what they have done to prevent this occurring again.
Opinion
This one’s going to get up a lot of coverage. The number of accounts breached is high, but more importantly, it’s a telco. Both sides of the house have been using infrastructure related breaches to get press coverage recently.
This will hit the radar of the Minister for Cyber Security and I would expect to see some comments by the Minister for Cyber Security, Clare O’Neil MP at some point today/tomorrow.
There isn’t much detail on the contractor whose account was used for the breach. I doubt they leaked the data, Tangerine would have thrown them under the blame bus and then backed over them if that was the case.
So odds are the contractor’s machine was breached and the attacker either found the data locally or used creds to jump to the remote DB.
From a tech perspective, this is a classic case of creating a weak link in your security to enable an external third party. Questions that come to mind are:
- Was the third party accessing the data from a remote location?
- Had they replicated the data locally?
- What controls, if any, were in place on the contractors devices to secure them?
- Did the contractor’s credentials have MFA enforced?
Know your weak links
There is very little point in implementing strong security in your environment, if you then provide third parties access your systems using less secured infrastructure.
Sadly, this is very often the case when enterprises / large organisations enable remote access for third parties. Enforcing a high standard of cyber security practices is expensive and complex, something that smaller third parties typically can’t match. In the worst case scenario, a single contractor can be working from home on an uncontrolled PC and remotely accessing company resources.
If you need external parties to access your data, make sure you cover the basics:
- What devices are they using to access your systems?
- How are those devices secured?
- Are they only one using the device?
- What about physical security of the device? There isn’t much point getting ISO27001 certified if someone can remote to your systems using a BYOD laptop from the cafe.
Always assume that third parties are going to have weaker security than you and are likely to be compromised. With that assumption in mind, what data or other systems would be exposed? Now mitigate that.
Refer to the National Institute of Standards and Technology framework on best practice around this.
Update
Looks like this breach only gets a comment from the Telecommunications Ombudsman.
“It can be distressing to learn that your personal information may have been disclosed in a cyber-attack. Consumers who are affected by a data breach should remain vigilant about their personal information.”
“If you are concerned about your personal information, get in touch with Tangerine first. If Tangerine has confirmed your data has been exposed, you can’t get in contact with Tangerine, or aren’t happy with their response, come to the Telecommunications Industry Ombudsman for help.”
Which amounts to “Sucks to be you, give us a jingle when Tangerine tells you to fuck off”