Major cyber breach or just theft?
Technical blog by Liz Sandwith, chief professional practice advisor | 28 November 2016
Mobile operator Three has hit the headlines
One of Britain’s largest mobile operators, Three, suffered a major breach of its upgraded database, the Telegraph was quoted as saying two-thirds of the company’s nine million customers may have been impacted. This is the latest in a series of high-profile security lapses. Just this month, a cyber attack on Tesco Bank resulted in the theft of £2.5 million from the accounts of 9,000 customers.
At Three, hackers reportedly compromised personal details of the victims using employee logins but the stolen data did not include financial information. Although no bank details or passwords were exposed in the data breach, 133,827 customer accounts have been accessed, according to a letter from chief executive officer David Dyson.
On 17 November, the company became aware of suspicious activity surrounding its customer upgrade database, which allows customers to upgrade to new devices. The following day, it confirmed the breach.
While cyber criminals typically go after sensitive information, such as credit card numbers to sell on the dark web, Dyson does not believe that was the main motive for the attackers. “We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently,” he wrote. According to spokesman Nicholas Carter, in the past month the company had seen fraudulent activities involving handset fraud. "To date, we have confirmed approximately 400 high-value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity," he added.
Three persons have been arrested so far in this matter, as per reports in the media.
What should internal audit do?
From an internal audit perspective we need to remember that cyber criminals are often simply criminals approaching their crime in a different manner. At a recent joint Chartered IIA and Fraud Advisory Panel conference one of the speakers, Detective Inspector D Lawrence, National Coordinator for Cyber, highlighted to the audience that cyber crime is just crime, he provided as an example the decrease in bank robberies from 847 in 1992 to 108 in 2012 and down to less than 75 in 2016 as criminals use technology to commit the crime.
We, as internal auditors, need to be watchful for crime within our organisations however it is committed. Cyber security crime is a business risk not an IT risk and as such we need to ensure that within our risk universe we consider it in its widest sense and look holistically across the business as we would do with our fraud risk assessment.
Business resilience is back on the internal audit agenda, assuming it ever left, no longer just from a disaster recovery perspective but in the wider area of how our organisation would deal with the impact of a cyber breach and/or the loss of a key individuals eg the CEO, Chairman, CFO etc, which impacts on reputation as well as business survival.
