T-Mobile U.K. said Wednesday that an employee was to blame for stealing possibly millions of customer records and
selling the data to competitors.
T-Mobile informed Britain's Information Commissioner's Office (ICO) of the data security breach. The data included customers' contract renewal information, including customers' contract expiration dates. T-Mobile said the data was sold to "third parties."
"The number of records involved runs into the millions, and it appears that substantial amounts of money changed hands," the government body said in a document submitted to the Ministry of Justice.
The U.K. Data Protection Act prohibits the selling of data without prior permission from the customer. The ICO said in its report that it believes T-Mobile competitors used the information to call customers prior to the expiration of their contracts and offer them deals with a new operator.
The T-Mobile U.K. data breach highlights the problem of insider security threats, especially during an uncertain global economy, which has resulted in layoffs and mergers. A recent survey of 1,900 senior executives conducted by Ernst & Young found that 75% of respondents were concerned with the possibility of reprisal from employees. But many are having a difficult time doing anything about insider security threats. Less than half (42%) were weighing the risks and only 26% were taking steps to address insider threats.
"A lot of the focus has been on external hackers, but if you look at the data from organizations including Forrester Research Inc. and Gartner Inc., over 75% of data breaches are the result of insiders," said Thomas VanHorn, vice president of global marketing at Application Security Inc, a database security vendor based in New York, N.Y.. "There are more fears out there in part because of the dire economy."
While focusing on improving hiring practices and monitoring employees could help guard against employee reprisals, security experts say companies can conduct regular entitlement reviews to ensure that only employees that need access to certain data get that access. Database activity monitoring and log management are also areas where companies can improve their security practices and guard against a breach, VanHorn said.
"Typically we encounter companies that think they know where their sensitive data is, but when we go in companies often make the discovery of databases they never knew they had," VanHorn said. "It could be at a remote office or a test database, but discovery is a real important first step."
After getting complaints from customers, T-Mobile said it immediately began investigating the breach. T-Mobile worked with the ICO to identify the source and said it and the ICO were collecting evidence and planned to prosecute those involved.
"While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry," T-Mobile said in a statement.