There are many aspects to data security, like the use of drive encryption software, antivirus software, firewalls, etc. However, the biggest and central one is monitoring. Basically, making sure that things are going as planned, and looking to see if anything has gone awry. Otherwise, one may end up finding–quite belatedly–that they’ve suffered a breach.
T-Mobile Contacts The ICO
It was this regular monitoring that allowed T-Mobile to zero-in on irregularities regarding their customer information.
Apparently, employees at T-Mobile had been selling their customer lists to brokers. The customers were entering the final phase of their mobile phone contracts, and the brokers would sell the information to other phone firms. These firms, in turn, would cold-call T-Mobile’s clients, no doubt to convince them to switch carriers.
Once T-Mobile became aware of the situation, the Information Commissioner’s Office was contacted, which got the appropriate warrants to enter T-Mobile’s premises and conduct an investigation.
Is This A Breach?
When compared to other data breaches that occur every day across the UK, this one seems quite trivial. The media are painting their headlines as if T-Mobile was behind this breach (The BBC’s title, “T-Mobile staff sold personal data,” is a bit misleading, me thinks: the word “renegade” or “soon-to-be-fired” or something should be added), and making it appear as if it’s a bigger issue than it is. But, as the story goes to show, this is not the case.
People who steal information–especially customer lists, which are considered to be company assets by many–are probably a dime a dozen. Attempts to purloin a competitor’s customer has happened in the past and will happen in the future. It’s…well, it’s news, but it’s not eye-popping news.
Granted, what happened is illegal: as the BBC noted, “The Data Protection Act bans the selling on of data without prior permission from the customer and a fine of £5,000 can be imposed following a successful prosecution.” So, yes, technically, T-Mobile had a data breach, carried out by its own employees.
But, as far as I can tell, no one’s going to fall victim to voice-phishing attempts. If anything, it looks like the illegally-obtained information was used for legitimate means (convincing T-Mobile customers to switch services).
(Personally, I’d say that this is proof that T-Mobile has a good data security program in place, although some would disagree. My reasoning? They monitor stuff. Many companies are willing to invest in data security, like encryption software, but once in place, believe that it will magically solve all problems without the necessary maintenance–monitoring being one aspect of that maintenance).
Related Articles and Sites: