Cybercriminals have managed to cause a data breach at the vendor system of AT&T, the multinational telecommunications company, in January 2023 and exposed vast amounts of data, including wireless account numbers, first names of customers, wireless phone numbers, and email addresses. The fact that threat actors gained access to AT&T’s Customer Proprietary Network Information (CPNI) tells a lot about the lack of security at the third-party vendor. The incident was brought to light by customers when they posted the email communication from AT&T on community forums to confirm if it was genuine or a fraud. The email stated, “We recently determined that an unauthorised person breached a vendor’s system and gained access to your ‘Customer Proprietary Network Information (CPNI).”
9 Million Customers Impacted
The company gave a statement to Bleeping Computer saying that around nine million customers’ CPNI were accessed by cybercriminals. Here, CPNI is the information that telecommunications companies like AT&T in the U.S. get about their subscribers. The information includes the services used by the subscribers, the amount paid, and the type of usage. Such information is used by a third-party vendor for marketing. Interestingly, AT&T assured customers that their sensitive personal or financial information was not compromised. It further stated that the information exposed was mostly related to the customers’ eligibility for device upgrades and in no way affected the company’s systems.
AT&T took pains to confirm that the marketing vendor has since fixed the vulnerability, which was exploited by the threat actors to cause a data breach. AT&T reported the matter to the federal law enforcement agencies without disclosing specific customer information. The company offered to secure the passwords of customers by adding an extra layer of security—free of charge.
Telecom Services in Focus
According to Manish Chaudhari, CISO, Cybernetic Global Intelligence, accredited global leaders in cybersecurity, telecom industries will be increasingly vulnerable to cyberattacks, especially in 2023. The reason is attributable to the increased use of IoT devices, the focus on the use of 5G, and the prevailing geopolitical conditions at large. In the last three months, telecom companies have reported several cybersecurity incidents. In addition to AT&T, T-Mobile faced a cybersecurity incident where the personal details of 37 million users were exposed. Again, in February 2023, a Canadian telecommunications company Telus found an employee list containing names and email addresses being put up for sale.
How Can Telecom Companies Be Safe From Threat Actors?
The above-mentioned incidents lay bare the oft-repeated allegations that telecommunications companies (and, for that matter, other businesses as well) remain vulnerable to data breaches. With the expertise of cybercriminals increasing and their modus-operandi becoming more sophisticated, businesses, including telecommunications companies, need to up the ante. They cannot remain smug in the belief that cybercriminals are not going to strike them. Such an ostrich-like attitude can spell doom for companies and their customers. Manish Chaudhari of Cybernetic Global Intelligence underlines the importance of securing the flanks by upgrading the overall security infrastructure. It is better to remain aware of the threat scenario rather than be caught napping when cybercriminals strike, he says in a matter of fact way. One of the steps that telecom and other companies must take to mitigate such threats is by conducting an IT security audit.
What Is an IT Security Audit?
An IT security audit involves reviewing the company’s cybersecurity practices and ensuring the application of up-to-date mechanisms and processes. Furthermore, such an audit determines whether all security practices and infrastructure adhere to established industry standards. These include ISO/IEC 27001-13, the ACSC Essential Eight (E8), the Protective Security Policy Framework (PSPF), the Queensland Government Information Security Classification Framework (QGISCF), the ASD ISM (Information Security Manual), and APRA CPS 234 among others.
Benefits of an IT Security Audit
An IT security audit helps identify potential gaps in the system and mitigate them. The other benefits include:
- Ensures better regulatory compliance
- Helps save money and minimize waste of resources on pursuing ineffective practices
The vice like grip of cybercriminals on the business landscape is frightening and a cause of concern. However, cybersecurity companies, such as Cybernetic Global Intelligence, can help telecommunications and other companies detect potential vulnerabilities and fix them before all hell break loose. For more information, call 1300 292 736 or send an email to Contact@cybernetic-gi.com.