SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Massive data leak in Czech Republic- and how to avoid one
Tue, 21st Jun 2016
FYI, this story is more than a year old

Over 1.5 million customer records at T-Mobile Czech Republic were stolen by one of its employees, according to local media.

In an official statement, T-Mobile admitted that an incident has taken place but refused to confirm the scale or provide details about what information, if any, was leaked.

It said that due to an ongoing police investigation, it is “unable to provide any additional specific information”.

Based on the fact that the investigation has been handed over to the Czech Police Unit for Combating Organised Crime, speculation has arisen in Czech media that the data leak has been massive.

It probably involved all 1.5 million T-Mobile customers, making it the largest known data breach ever in the Czech Republic. According to the operator's spokesperson, the firm's security controls were triggered “immediately” following the illegal activity (the copying of the customer database).

It remains unclear what happened with the data – T-Mobile claims that the perpetrator was caught when attempting to sell the database, while some media outlets claim that the data actually fell into the wrong hands.

According to a 2016 Ponemon Institute study, an average data breach causes damages worth $3.5 million to the affected company.

“Employees are the biggest threat factor to data – be it they trade secrets, customer payment data or personal information on customers or employees,” commented Petr Žikeš- CEO at Safetica Technologies, a data loss prevention company.

“Anything that can be easily exploited or monetised is in danger of being stolen.

Safetica experts recommend the following steps to prevent incidents similar to what happened at T-Mobile Czech Republic:

  • Don't underestimate insider threats
  • Monitor data flows in your organisation to reveal risky operations
  • Monitor your workers, applying a risk-based approach (i.e. closely follow those in probationary period or notice period)
  • Set and enforce rules for handling critical data
  • If data security is important for your organisation, then consider implementing a Data Loss Prevention solution