Criminals who broke into Dutch telecom provider Odido managed to deceive employees through phishing. They pretended to be the IT department in phone calls to bypass multi-factor authentication. 6.2 million customer files may have been stolen through automated scraping. It is yet another example of a data breach that circumvents strong security policies on paper. What now?
The attackers gained access by logging into customer service employee accounts. They obtained the passwords through successful phishing attempts. Sources reported this to the NOS, part of the national broadcasting agency in the Netherlands.
But the attackers didn’t stop there. Once the criminals had the password, they called the employees. They pretended to be Odido’s IT department and manipulated them into approving the fraudulent login attempt. This bypassed an extra security step that normally blocks unauthorized access. Since organizations of a certain size often have their basics in order, attackers have to be cunning.
Scraping from Salesforce
Several employees were hacked in this way. Specifically, it concerned Odido’s Salesforce environment. Attacks via that application or portals have become more common in recent years, with voice phishing and OAuth abuse being common tactics.
The attackers then automatically stored customer data from the system. They managed to obtain the customer data by means of scraping. It is unlikely that they were actually able to download all customer data, according to a source familiar with the hack who spoke to the NOS. “Extracting all customer data from this system takes a very long time, although it cannot be ruled out.”
Whether they succeeded depends on how long they were inside and how much customer data they managed to steal, security researcher Sijmen Ruwhof told the NOS. “With this method, you really need a number of days to do that, and you have to remain undetected the whole time.”
Possible scope
Odido is still keeping that possibility open and is warning 6.2 million people, both current and former customers, whose data may have been stolen. The company reported the data breach yesterday and has also reported the incident to the Dutch Data Protection Authority. Affected customers are still being informed; this may take a total of 48 hours.
It may have involved employees of foreign call centers that Odido hires. When asked, the telecom provider declined to comment on the findings of the NOS. Customers of SIM-only subsidiary Ben have also been affected by the same incident.
Humans as the weak link
Not everyone agrees that humans are the weak link in cyberattacks. This often sounds negative or implies that victims are guilty of negligence. We do not want to suggest that, but it remains important for defenders to remember the human factor, even if virtually perfect security practices are applied on paper. Security awareness training helps to reduce the number of successful phishing attempts, but it is not enough.
Those who assume a compromise will occur can limit the potential damage. There will always be an employee susceptible to the tricks of cybercriminals. The question now is whether Odido could have done more to prevent data theft on this scale. Organizations should focus more on protecting data and not just on their staff, precisely because people can be misled.
The fact remains, however, that cybercriminals with enough persuasiveness and the right targets regularly succeed with phishing attempts. The question now is whether measures could have been taken to better protect highly sensitive customer information or to have removed it long ago. After all, a customer’s passport number is not immediately necessary after the initial verification. The storage of bank information and home addresses could also be protected unless the customer has given permission to show this to a customer service representative.
It is not certain how effective all kinds of defense mechanisms such as these are. Nevertheless, the scale of the theft shows that personal information was apparently available for scraping at Odido, with only the file size as a limitation once the accounts had been compromised.