Netia, the second-largest telecoms operator in Poland, has suffered a serious data breach that has exposed private information, potentially impacting at least 300,000 customers.
The telco has confirmed that on 7 July, its official website was hacked by attackers, who accessed and compromised two different online forms that customers can use to contact the firm or to start an online contract for new services.
Following the attack, the hackers posted 14GB of data on the internet and then started a new Twitter account impersonating the Ukrainian far-right political party Pravy Sector, claiming responsibility for the attack and posting links to the data.
Netia says that no passwords or usernames were compromised, so users of the online self-service portal NetiaOnline do not need to take any action. However, the hackers accessed private user data including personal ID numbers, names and bank account numbers, a Netia spokesperson told Reuters.
Pravy Sector also confirmed that the Twitter account used to share the data was fake and had no connection to the political party.
Customer data, sales records and bank transactions leaked
However, Israeli cybersecurity firm Hacked-DB analysed the data from the breach and found that it is in fact much greater than previously believed. One SQL database file contains 348,000 lines featuring full names, home addresses and IP addresses, while others taken from the investor section of the website contained sales records, bank transactions and even affiliate marketing information, according to cybersecurity news site Hackread.
"We wish to emphasise that the data of customers and co-operating companies are secured by the experts of the company, which is supported by an additional, highly qualified, external advisory team," Netia said in a public statement to customers.
"Because of the violation and the publication of data, if you are invited by email, SMS text message or phone to provide personal information or make changes to pages (for example, to change passwords), please be very careful."
Netia says that it has now added protections to the customer data and it has reported the incident to the police and the General Inspector for Protection of Personal Data. A team of both internal and external specialists are now working to establish exactly how the breach occurred.
Don't forget to secure your web forms
It is believed that the hackers might have exploited a vulnerability in the web forms and used it to access a large log file containing session identifiers associated with various customer accounts. With the session identifiers, the hackers might have been able to connect to Netia's SQL databases without having to prove authentication with user credentials.
"While most organisations are cottoning on to the need to encrypt customer data when it is being shared by mechanisms such as email, for some reason web forms often slip under the radar. By and large, they are often submitted in plain text, unencrypted. This is despite the fact they are often used to share private and potentially sensitive information, such as: age, address or even bank details (as in this case). What's more, submitted information is sometimes at risk of then being held in an insecure environment," Tony Pepper, encryption firm Egress's CEO told IBTimes UK.
"Hackers are constantly looking for weak points of entry and web forms offer many an easy target. Businesses that use web forms need to ensure that the same level of information security assurance is applied as would be if the information was being shared over email. Additionally, once submitted back-end processes need to be put in place to ensure this sensitive information is held in a secure environment that can only be accessed by approved employees. Otherwise, it is likely we will start to see more attacks of this kind from opportunist hackers."