The mobile telecom world is driven by data, not just the transactional data between a user and the internet but the data about the user, their subscription, their physical devices etc. How this data is managed and secured is a major issue, as the ecosystem of what is stored, where it is stored and who has access, is evolving quickly. Not updating the data security strategy will be a red-flag for a move to cloud-native storage and management, and this could ultimately impair business flexibility.
Subscribers are arguably an operator’s most valuable asset. Protecting their data should be a priority for any operator. With the migration to the telco cloud, which started with 4G networks and is now a foundation for 5G, new threats must be mitigated. Failure to do so could lead to decreased trust, increased churn, less ability to expand the business, and legally incurred costs. If operators don’t get data security right, it could, in the worst case, prevent them from going to the cloud. The ramifications of that happening would far exceed any reputation degradation after a data breach.
When data breaches become the norm
Yet, as stories about data breaches continue to surface, one could suspect many operators still need to improve their data security. One example of a significant (and for the operator, costly) security breach hit a US-based tier-one operator last year. Subscribers had their personal data, including names, credit card numbers and device identifiers, stolen. The story made headlines when it became known, partly because of the extent of the breach. Over 70 million subscribers were affected.
Did subscribers switch to another operator en masse? No, they did not.
While this may be surprising at first glance, data breaches are not unusual. It has become an inevitable norm for most people. Several analysts have pointed out that it is not until subscribers have become negatively impacted in a tangible way that they start to move away in larger numbers. Having your data stolen is quite abstract until someone uses your credit card online or hijacks your account. At the same time, switching to another operator takes some effort, and in the end, there is no guarantee that your new carrier will not fall victim to a data breach.
A stinging breach
The operator in this case was hit in other noticeable ways, however. In the months after the breach was revealed the stock lost 30% of its value. And recently it was announced that they had reached a settlement with the affected subscribers to pay $350 million in damages, plus spend an extra $150 million on increased cybersecurity. In total, the settlement cost them $500 million. Even for a large operator, that must sting.
Exactly what system the data came from was never disclosed, but any subscriber data stored in a connected system faces threats from malicious attackers, and mobile networks are no exception. In the 5G core the Unified Data Repository is the logical function storing subscriber data. It consolidates several different databases and reduces complexity and provides many benefits. Put simply, it is much more efficient than having a database for every single function. Because the UDR collects lots of personal and often sensitive data in one place, it becomes a prime target for cybercriminals.
How to secure subscriber data
Even though 5G was designed with security in mind, it leaves much of what to implement in terms of security features up to the operators. There is also plenty an operator can do to enhance security beyond the 5G security standards. When it comes to data, for example, 5G uses end-to-end encryption, eliminating any meaning of stealing data in transit. But the data stolen from the tier one operator was not in transit; it was at rest.
Protecting subscriber data at rest was perhaps less of a problem in the early days of mobile networking. ‘Security by obscurity’ helped keep mobile networks safe for a long time, but a cloud-native core network is by no means obscure. If a data breach does happen, and one must accept that it can, encrypted data is of no value or use to the attacker.
Perhaps the US tier one operator will use some of the $150 million investment in additional security to ensure their data layer is encrypted. One can believe that learning from their mistakes and spending extra dollars on security enhancements will soon make their mobile network one of the safest in the US.
Designing security into the data layer from the start is imperative. Correcting a flawed design could become very costly, both in terms of direct costs for security incidents and for the disruption of development and operations it will cause. In the worst case, an unencrypted data layer could stop operators from going to the cloud with their core networks.