O2 Data for Sale?

O2-Logo

Now here’s an interesting data breach, it’s perhaps indicative of changing approaches by hackers.

As companies thankfully become more savvy about protecting data, so hackers are having to become more creative. They augment stolen data by accessing more publicly available data sources – such as social media – to create more robust data sets that they can sell on to the criminal fraternity on the ‘dark net’.

We reported here earlier in July that fraudster are harvesting details from social media accounts to create fraudulent duplicate identities; a technique known as ‘credential stuffing’.

The BBC claimed on the Victoria Derbyshire programme on July 26th that “O2 customer data is being sold by criminals on the dark net” (here)

However O2 deny that they’ve suffered a data breach.

The initial credentials are likely to have been stolen in a data breach back in November 2013 from the gaming website Xsplit and the hackers have subsequently ‘stuffed’ those credentials with information sourced elsewhere. Those new ‘stuffed’ credentials would then be tried against various online services.

The BBC reported┬áthat some victims have had accounts hacked on multiple sites – such as Gumtree and eBay.

The message for consumers is a familiar one, don’t use the same password for multiple accounts – tempting though it might be – as hackers will try any passwords they acquire against any and every online services.

And the message for businesses is equally familiar, you have a responsibility to your customers if you store their personal or payment data.

Compliance3 can help businesses meet their personal and payment data obligations, get in touch and see how we can help yours.