In the Netherlands this week, Dutch Police arrested a 17-year-old hacker on charges of compromising user data on KPN servers, in addition to damaging the company’s infrastructure. He also took the user data and allegedly sold the information on a website he maintained with another teenager in Australia. KPN is the largest telecom in the Netherlands and as a result of the breach was required to undergo an assessment by the National Cybersecurity Center of the Netherlands, which determined that national security had not been compromised by the security breach. KPN stated that, in the wake of the data security breach, the company will hire a Chief Security Officer and will put processes in place to continuously monitor the company’s systems.
This incident serves an important reminder on a number of fronts. First, with the recent media focus on hacktivism and state-sponsored corporate espionage, organizations simply can’t afford to lose sight of the fact that you cannot predict the source of your threat. Certainly, most organizations don’t create a data protection strategy designed to ward of teenagers. However, overlooking the fact that individuals can often pose as much of a threat as organizations can be dangerous.
An additional point to take from this story is the need for comprehensive data security, including encryption and proper key management. The hacker was able to compromise user data and then sell that data on the black market. The PCI DSS does require that cardholder data is “rendered unreadable” (Requirement 3.4) and that the encryption keys are appropriately secured (Requirements 3.5 and 3.6). Following PCI DSS mandates may help to mitigate the extent of such a data breach.
Lastly, the company mentioned that in the wake of the breach it would not be hiring a CSO. This is certainly interesting following on the heels of the Ponemon report that found that companies that had a CSO were more prepared to respond to a breach and, in fact, spent less on incident response than did those companies without a CSO. It will be interesting to see where the price tag on this incident ends up after taking into account customer reparations, breach notification, network remediation, notifications, and forensics.