Swisscom is to tighten security for so-called non-sensitive customer data in the wake of the misappropriation of a sales partner’s access rights. Swisscom was unable to identify any activities against its customers as a result.
Article continues below
>
In autumn of 2017, unknown parties misappropriated the access rights of a sales partner, gaining unauthorised access to customers’ name, address, telephone number and date of birth. Under data protection law this data is classed as “non-sensitive.â€
Prompted by this incident, Swisscom has now also tightened security for this customer information. The data accessed included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers; contact details which, for the most part, are in the public domain or available from list brokers.
Swisscom collects this customer information legally: It is required when entering into a subscription agreement. Sales partners are given limited access to this data to enable them to identify and advise customers and conclude or amend contracts with them.
The system access required for this is protected by specific user logins and passwords. The contact details of around 800,000 Swisscom customers were affected by the breach – mainly mobile, and a few fixed network subscribers.
Swisscom discovered the incident during a routine check of operational activities.
Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident. Rigorous long-established security mechanisms are already in place in this case.
Although the misappropriated personal data is classified as “non-sensitive†under data protection legislation, investigating the incident is a top priority for Swisscom.
The relevant partner company access was blocked immediately. Swisscom also made a number of changes to better protect access to such non-sensitive personal data by third-party companies. ■