Three hack: UK IT industry hits out at 'corporate blindness' and firm's 'slavish devotion to short term margin'

Putting profit before customer risk has to end, say industry peers

The UK IT industry has spoken out against UK telco Three after the revelation a recent breach has endangered the data of six million customers.

Accusations of "corporate blindness" and Three "waiting for a major breach" before improving its security measures are just some of the crticisms levelled at the telco.

"This is the umpteenth time a major company has suffered a data breach as a result of an employee login falling into the wrong hands," said François Amigorena, CEO of access management firm IS Decisions.

"EBay, Sony, Sage and other large corporations have suffered similar fates recently, and it seems that most organisations are waiting for a major breach of their own before doing anything to improve their security - which is the worst way to do things."

Intercede CEO Richard Parris concurred:

"The news of yet another security breach, this time at Three Mobile, makes depressing reading and it seems to be a story without an end," he reflected.

"These sort of breaches, whether carried out by employees, customers or third parties all appear to have something in common - fundamentally insecure approaches to identity, credential and application management."

Parris said that "slavish devotion to short term margin and revenue growth" is leading to "corporate blindness" in companies like Three.

"The risks are well known, and the solutions are available, but rather than sort the issue, C-level executives and board members the world over simply hope their company isn't next on the hit list."

Greg Hanson, VP of worldwide consulting at Informayica, was also quick to jump on the blame dog pile, suggesting firms like Three are more mindful of where there data is, and how it is stored and protected:

"Companies must move away from a damage-control mindset to a deep understanding of their sensitive information, so that they can implement data-centric security and protect it wherever it moves in the organization," he said.

"Unless companies understand exactly where their valuable assets originate, proliferate and reside, it is extremely likely that they will lose control of that data. And as the Three breach proves, companies must even prepare for an attack from the inside."

Certes Networks VP of EMEA, Dan Panesar, went so far as to say the entire industry now needs to shift to a "zero trust" model with user data, assuming every user can be compromised.

"The only way to halt such breaches is for the industry to rethink trust. The industry needs to adopt a "Zero Trust" model in which it is assumed that every user might be compromised, and that no user is implicitly trusted," said Panesar.

"Any user might be a hacker in disguise. Organisations must adopt a ‘need to know' access strategy, meaning users can only access the data they need to do their job. This means that when, not if, a hacker does pass a company's outer defences, as has happened time and time again, they do not have free rein over the systems of a company holding the personal data of millions of customers."