It’s not often that global telcos could be described as a ‘David’ in a ‘David and Goliath’ analogy, but that is exactly what we are looking at in the latest hacking scandal.
In a story that broke this week in El Reg:
https://www.theregister.co.uk/2019/06/25/global_telcos_hacked/ and CNBC https://www.cnbc.com/2019/06/25/hackers-hit-telecommunications-firms-cybereason.html, a long running espionage campaign has been waged by (it is alleged) the Chinese government against at least ten cellular telcos around the world.
While a telco might have a security team of 50 people, huge by comparison to most organisations, this is miniscule when compared to the resources of a nation state, hence the David and Goliath reference.
The campaign, which has apparently been running for several years, has even involved VPNs being set up within the telcos’ own infrastructure so that the perpetrators could snoop more quickly and easily on their targets. So the story goes, the campaign was aimed at 20 to 30 high value targets, and the snoopers were able to access hundreds of gigabytes of phone records, text messages, device and user metadata and location data for hundreds of millions of subscribers.
This is another reminder that you can’t necessarily rely on your telco or ISP to protect your data and metadata. This is not because they are particularly negligent or complicit, but simply that flaws in the old technology, that underpins most networks around the world, can be exploited by nation states with almost limitless resources.
If you don’t want to be tracked, if you want to keep your communications private, if you discuss company intellectual property or trade secrets that you don’t want your competitors to learn about, if you are a journalist, aid worker, or special/covert services operating in an unfriendly regime, you need to take steps to ensure that your mobile data is protected.
Watch this space for more on this story in the coming weeks.