Figure 1: Data breaches in Telecom sectors

Telecom Industry

Telecom industries:
Telecommunications has been an important growth engine in the development of modern India. It has
enabled connectivity to the remotest corners of the nation which has not only benefited the citizens
but also helped in better governance. Access to digital services and applications from remotest parts
of the country is enabled by telecommunication connectivity. As per a study1 doubling of mobile data
usage increases the GDP by 0.5% points while a 10% increase in mobile telecom penetration
increases Total Factor Productivity in long run by 4.2% points. As per a report on statistics of internet
usage in India2 there are total 462.1 million internet users (approx. 34% of population, global average
is 53%) out of these, 282 million are active internet users spending approximately 7 hours per day on
the internet. Out of total 462.1 million internet users, 430.3 million use the internet from mobile
phones (79% of the total web traffic). Active social media penetration in India is 19% of the total
population; global average is 42% of the total population. A user spends approximately 2 hours 30
minutes daily on social media and has on an average seven mobile applications being used on his
mobile device.

The eco-system used for delivery of digital services consists of multiple entities like Telecom Service
Providers (TSPs), Personal Devices (Mobile Handsets, Tablets, Personal Computers etc.), M2M
(Machine to Machine) Devices, Communication Networks (consisting of Base Trans Receiver
Stations, Routers, Switches etc.), Browsers, Operating Systems, Over The Top (OTT) service
providers, Applications etc. It is estimated that the global volume of digital data created annually was
4.4 zettabytes in 2013 and this would reach 44 zettabytes by 2020. Further, it is expected that the
number of devices connected to the IP Networks would be approximately three times the global
population by 2021. The growth in the number of connected devices imply that a large portion of data
created would presumably consist of personal details relating to individuals, e.g. purchases, places
visited, demography, health statistics, financial transactions, education, work profile etc.
Telecommunications providers are under fire from two sides: they face direct attacks from
cybercriminals intent on breaching their organization and network operations, and indirect attacks
from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines
feature many classic attack vectors, but with a new twist in terms of complexity or scale that place
new demands on telecoms companies.

Reliance Jio data breach

Reliance Jio’s user data was posted on a website called magicapk.com the website has been
suspended, but those who’ve checked out the data found that email id, first name, last name, Reliance
Jio mobile number, activation date for the SIM along with the activation circle did match accurately
for a lot of numbers. In some cases, Aadhaar number was also available online. However, we didn’t
see the Aadhaar number for the data that we explored on the website. The data breach is a serious
because Reliance Jio has 120 million active subscribers in India, and this could well be India’s biggest
data breach ever

Global telecom industries breaches

Various CSPs have suffered data breaches over the last few years with the most notable being Talk
Talk, a quadplay provider in the UK. They were hacked and the records of around 157,000 customers
were compromised including over 15,000 customer’s bank details. The impact of a data breach is far
reaching. There is the bad publicity and associated brand damage that reduces your ability to attract
new customers. Existing customers lose trust in the brand and often leave as a result thus increasing
churn. For businesses on the stock market they have the added impact of watching their share price
decline as the news of a breach is publicised. Talk Talk recently announced their annual results for the
2014/2015 financial year. Reports suggest the breach cost them £42m and lost over 100,000
customers in the quarter following the breach. Some reports suggest the financial impact could be
greater.

Attacks and vectors in telecommunication breaches.

Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and
scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is
hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack
lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2
days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce
network capacity, degrade performance, increase traffic exchange costs, disrupt service availability
and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging
secondary attack, or a route into a key enterprise subscriber or large-scale ransom ware attack.

Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were
targeted with attacks. By far the most affected country was China, with South Korea and the US also
among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with
cybercriminals paying close attention to financial institutions working with crypto currency. Another
trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks. The
telecommunications sector is particularly vulnerable to DDoS attacks. According to the 2016 Data
Breach Investigations Report, the telecommunications sector was hit around twice as hard as the
second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets
per second (compared to 2.4 Mpps for exchanges.)
 The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that
vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root
exploits for Android phones, all provide new channels for attacks – involving malware and
technologies that individuals, organisations and even basic antivirus solutions cannot always easily
remove.

Compromising subscribers with social engineering, phishing or malware. These classic

techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016
sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of
cyber-attackers now combine data sets from different sources, including open sources, to build up
detailed pictures of potential targets for blackmail and social engineering purposes.

Insider threat is growing. Detailed profiles of targets are also used to recruit insiders to help
perpetrate cybercrime. Some insiders help voluntarily, others are coerced through blackmail. Insiders
from cellular service providers are recruited mainly to provide access to data, while staffs working for
Internet service providers are chosen to support network mapping and man-in-the-middle attacks.

Other threats facing telecommunications companies include targeted attacks; poorly configured access
controls, particularly where interfaces are publicly available to any Internet user; inadequate security
for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that
exploit telecoms resources, and suffering collateral damages.

Telco’s Invest More in Tools to Support Mobile Workers and Rely More on Outsourcing
To maintain a competitive advantage, Telco’s must continually modernize their operations so that
they can deliver new types of services and improve the customer experience while maintaining cost
efficiency. At the same time, they need to bolster their threat defences to meet regulatory
requirements as well as expectations from customers and partners. Given their limited budgets, many
Telco’s are not prioritizing investments in security. Telco’s’ use of tools such as web security,
penetration testing, patching, and configuration is similar to that of other industries we analysed
(Figure 1). However, Telco’s lag slightly behind other organizations in several areas, such as network
security, firewalls, and intrusion prevention. Telco’s uses VPN, authentication, and mobility security
more than organizations in other industries. They are likely investing more in these tools to support
highly mobile and remote workforces. Because Telco’s resell these services, there may also be a
lower barrier to their own adoption.
 Figure 2. Threat Defences

According to cisco here is the percentage of organizations using various threat defences:
 Figure 3. Cloud based threat defences

Percentages of Organizations Using Various Cloud-Based Threat Defences:

Telco’s use cloud-based defences more than firms in other industries, which also may be related to
their need to support mobile and remote employees. As an example, 41 percent of Telco’s report that
they use cloud-based solutions for mobility security, compared with 27 percent of organizations in
other industries.

Public Breaches Push Telco’s to Embrace Forensics Tools and Improve Processes
 Telco’s that have suffered a security breach that led to public scrutiny report a higher use of network
and endpoint forensics tools, according to our study. They also use DDoS defences solutions more
than Telco’s that have not endured a public breach—44 percent and 25 percent, respectively. These
measures are likely an effort to prevent future breaches that could affect service provision and lead to
further public scrutiny and even regulatory fines.

Figure 3. The Use of Various Threat Defences by Publicly Breached and Non-Publicly-Breached
Organizations (in Percentages

Cisco also found that telcos that have suffered public scrutiny due to a breach—and that also consider
their infrastructure to be very up to date—use more processes to restore affected systems to pre-
incident levels. The starkest contrast is in the use of gold image restoration: 64 percent of publicly
breached telcos use this process, compared to 24 percent of non-publicly-breached telcos that also
report their infrastructure to be very up to date (Figure 4 ). In addition, while 74 percent of telcos in
the former group patch and update applications deemed vulnerable, only 45 percent in the latter group
report using that process
 Figure 4.

Processes Used by Organizations with Very Up-to-Date Infrastructure to Restore Affected Systems to
Pre-Incident Levels (in Percentages).

The fact that less than one-quarter of non-publicly-breached telcos that consider their infrastructure to
be very up to date are using gold image restoration, and that less than half are patching and updating
vulnerable applications, suggests that these companies may be overly confident about the
effectiveness of the security technology they have in place. They also may also be unsure of what
processes they should implement to support security technology and to help protect their network
before, during, and after an attack

Telecoms industry and DNS attacks:

Networks are a prized target for hackers, as each attack costs £460,000 on average to remediate
According to the report, carried out among 1,000 respondents across APAC, Europe and North
America, 94% of respondents claim DNS security is critical for this business.

Yet, 76% of organisations have been subjected to a DNS attack in last 12 months and 32% suffered
data theft. The report also estimated the yearly average costs of the damages caused by DNS attacks
to be $2.236 million. The leading causes were malware (35%), DDoS (32%), cache poisoning (23%),
DNS tunnelling (22%) or zero-day exploits (19%).

“The results once again highlight that despite the evolving threat landscape and the increase in cyber-
attacks, organisations across the globe and their IT departments still don’t fully appreciate the risks
from DNS-based attacks,” said David Williamson, CEO at Efficient IP.
“In less than a year, GDPR will come into effect, so organisations really need to start rethinking their
security in order to manage today’s threats and save their business from fines of up to £20 million or
4% of global revenue”.

Globally, the results varied widely. 39% of respondents from the UK and US demonstrated more
awareness of the top 5 DNS-based attacks than Spain (38%), Australia (36%), Germany (32%) and
France (27%), but less than India (50%) and Singapore (47%). In the UK, the attacks organisations
are the most aware of include: DNS-based Malware (52%), DDoS (43%), DNS Tunnelling (39%),
Cache Poisoning (34%) and Zero-Day Exploits (28%). It also found that a quarter of organisations
have been subjected to DDoS (26%) with 41% of those over 5Gb/sec, Cache Poisoning (25%) or
zero-day attacks (25%) in the past year while almost a third have been vulnerable to phishing (32%)
or DNS-based malware (29%) attacks. Almost a third (31%) of organisations surveyed experienced
Data Exfiltration via DNS. Of those, 16% had sensitive customer information stolen and 15%
intellectual property stolen. This could be social security numbers, job assignments or even bank
details. An ever increasing threat, a third (34%) of those surveyed stated that they have experienced
more than five attacks in the last 12 months. By taking the measure of closing down affected
applications to mitigate an attack, 38% of organisations achieved what the attacker intended to do. For
50% of those who experienced a DNS attack, it took more than six hours, almost a full business day to
mitigate it, requiring more than four members of staff in 34% of cases which for many organisations
may be their entire network security team.

Telecoms companies now subject to new personal data breach notification rules
The EU's Regulation of notification on personal data breach applies to all providers of publicly
available electronic communications services, such as internet service providers (ISPs) and other
telecoms companies, and sets new rules on notifying both regulators and customers about personal
data breaches.
Link: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:EN:PDF

Under the Regulation all providers of publicly available electronic communications services in the EU
will have to inform their competent national authority – which depending on where they are based
may be the national data protection watchdog or communications regulator, for example – within 24
hours of detecting that they have experienced a personal data breach.
The companies would have to supply the regulator with a range of information about the breach,
including the estimated date and time of the incident, the nature and content of the personal data
concerned and how many individuals are affected.
If all the information that the Regulation states should be provided to regulators is unknown, the
companies would be able to submit a partial initial notification within the 24 hour deadline and follow
it up with a further notification that includes all the information required within three days of
submitting that initial notification, unless it is not possible to meet this second deadline. In those
circumstances companies would have to offer regulators a "reasoned justification" for its failure to
meet the notification requirements on time.
The telecoms providers will also generally have to notify individuals affected by a personal data
breach "without undue delay" in cases where the breach is "likely to adversely affect the personal data
or privacy" of those individuals.
Factors such as the type of personal data that has been breached, the likely consequences of the breach
for individuals, and the circumstances of the breach, such as whether the data has been stolen or
where the provider knows the information is in the hands of an unauthorised third party, should be
assessed to determine where a breach is likely to adversely affect individuals' privacy, according to
the Regulation.
However, telecoms providers would be able to avoid having to notify individuals if they can show
regulators to their satisfaction that the use of "technological protection measures" has rendered the
breached data "unintelligible to any person who is not authorised to access it".

Big Data

Meanwhile, Telecom companies are unaware about the volume of data which could, on proper
analysis can get deeper insights into customer behaviour, preferences, interests and their service usage
patterns. This is what Big Data is for Telco’s. With the increasing adoption of smartphones and
growth in mobile internet, Telco’s today have access to exceptional amounts of data sources including
– customer profiles, device data, network data, customer usage patterns, location data, apps
downloaded, etc.. All this data combined together becomes the Big Data.

While talking about the Big Data strategy, the telecom industry has an advantage due to the absolute
breadth and depth of data it collects in the course of normal business. A Telco serving 8 million
prepaid mobile subscribers generates approximate 30 million CDRs daily, amounting to 11 billion
records annually. If the same operator also provides post-paid and fixed lines services, then there is
even more volume and variety of data at the ready.

What is Sensitive data and sensitive data in telecom?

Sensitive personal data or information of a person means such personal information which consists of
information relating to;—

(i) passwords
(ii) financial information such as Bank account or credit card or debit card or other payment
instrument details
(iii) physical, physiological and mental health condition
(iv) sexual orientation
(v) medical records and history
(vi) bio-metric information
(vii) any detail relating to the above clauses as provided to body corporate for providing service
(viii) any of the information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise:

Provided that, any information that is freely available or accessible in public domain or furnished
under the Right to Information Act, 2005 or any other law for the time being in force shall not be
regarded as sensitive personal data or information for the purposes of these rules.

The data stored in systems across the Communication service providers (CSP) environment contains
significant amounts of sensitive data. They have personal details such as name, gender, age, address,
email address and phone numbers. They have financial data such as bank details, credit card
information and credit scores. They have location information from mobile devices and usage
information such as which applications you use, which websites you visit or which people you call.
This makes them a prime target for data thieves who can sell this information for profit.
PECR security breach Notification in UK

Under the Privacy and Electronic Communications Regulations (PECR), organisations who provide a
service allowing members of the public to send electronic messages. Telecoms providers or internet
service providers) are required to notify us if a personal data breach occurs.

Link above explains breach notification in telecom for UK.

Link: https://ico.org.uk/media/for-organisations/documents/1583/notification-of-pecr-security-
breaches.pdf

Conclusion:

In Breach notification in telecommunications researchers found essential components, attack vectors

and telecom breach notification law implemented by countries. As telecom industries are getting
massive every day, protection of sensitive data becomes essential for communication service
providers from getting compromised by unauthorized person.