It’s Time We Compare Telecom Providers for Their Data Security

Ofcom should report on broadband and mobile providers’ ability to safeguard customer data.

Just when we thought telecoms providers couldn’t fall victim to any more data breaches, three UK have proved us wrong yet again. Following on from a scare in November that saw the personal details of over 130,000 customers stolen, the mobile phone company have admitted that a fresh breach occurred over the weekend, when people reported seeing the details of other Three customers when logging into their accounts online.

However, aside from simply jeopardising the cybersecurity of their customers yet again, what this latest incident has also done is highlight one very pressing need within the telecoms industry.

Namely, this latest embarrassment has flagged up the increasing need for an overhaul in how network providers are evaluated and compared, so that the security of a provider is taken into account by regulators and analysts, just as they currently take into account a network’s speed or the level of customer service it offers.

TalkTalk’s notorious hack in October 2015 claimed the data of over 150,000 people and earned the mobile network a fine worth £400,000 from the Information Commissioner’s Office.

That this need is urgent is underlined by how Three UK aren’t the only telecoms company to fail on cybersecurity in recent memory. For instance, TalkTalk’s notorious hack in October 2015 claimed the data of over 150,000 people and earned the mobile network a fine worth £400,000 from the Information Commissioner’s Office.

This attack had also followed two previous TalkTalk cyber incidents, both of which involved personal details being stolen by fraudsters. And if TalkTalk weren’t content to let things rest with 2015, November 2016 also saw them, KCOM, and the Post Office compromised in a Mirai worm attack, which stole the passwords of their customers’ wi-fi routers.

Other names — such as Vodafone and T-Mobile — could be added to this expanding list, yet what’s already clear is that cyberattacks and data breaches have become part of the ‘new normal’ for telecoms providers and their customers, which is precisely why the regulatory framework governing their market needs to be updated.

Providers are often struggling against the tide, retroactively chasing after new threats in a rushed bid to protect themselves from the high number of risks they face.

In fact, with certain companies, breaches occur with such periodic regularity that it’s no longer really possible to say with complete assurance that telecoms providers hold their customers’ data securely. At least in some cases, it seems more like the reverse: that providers are often struggling against the tide, retroactively chasing after new threats in a rushed bid to protect themselves from the high number of risks they face.

That these risks are growing each year is borne out by research into cybersecurity, what with PricewaterhouseCooper’s latest Global State of Information Security Survey revealing that there was a 70% increase in detected security incidents in the telecommunications industry in 2016. On top of this, the survey also found that, of the incidents detected, 50% involved “compromise of customer records” — representing a 29% increase over the year before.

Such a rise highlights how cyber attacks are a general, pervasive problem confronting mobile and broadband providers as a whole, and how the motivation for such attacks is very often the accessing of personal data.

50% of these customers “said a personal data leak would lead them to immediately cancel their contract.”

Yet aside from this being a problem general to all telecoms providers, it’s also a problem for their customers. In a November 2016 survey conducted by financial services firm KPMG, 50% of these customers “said a personal data leak would lead them to immediately cancel their contract.”

Not only that, but the study revealed that a “security breach is also twice as likely to prompt people to switch providers as being subjected to rude or unhelpful staff.” This is highly significant, since it reveals that the protection of data is one of the most important services a telecoms provider can perform for a customer, closely trailing behind the provision of actual broadband and mobile coverage.

And given that it’s so important, and that providers aren’t uniformly making such a great job of it, it’s vital that the telecoms industry and market is reformed so that data protection standards are integrated more fully into it. In particular, Ofcom’s mission and purpose should be updated so as to reflect the changed environment in which telecoms providers operate.

At the moment, the regulator has “statutory duties” and “regulatory principles” limited primarily to furthering competition. As admitted by Ofcom themselves and defined by the Communications Act, “Ofcom’s principal duty is to further the interests of citizens and of consumers, where appropriate by promoting competition. Meeting this duty is at the heart of everything we do.”

Accordingly, the regulator is charged with such tasks as ensuring “that a wide range of TV and radio services of high quality and wide appeal are available throughout the UK.” Yet added to this, they’re also required to “provide adequate protection for members of the public and others against […] unwarranted infringements of privacy resulting from activities carried on for the purposes of […] television and radio services.”

While this latter responsibility is currently focused on protecting more ‘traditional’ infringements of privacy that can occasionally arise from, say, the making of television programmes, it clears and calls the way for its application to more contemporary issues of data privacy.

Ofcom and the Government must seriously consider drawing up guidelines for best practices in cybersecurity, so that the performance of telecoms providers and their market as a whole is held up to more relevant standards.

And since it and the present context does call for this, Ofcom and the Government must seriously consider drawing up guidelines for best practices in cybersecurity, so that the performance of telecoms providers and their market as a whole is held up to more relevant standards.

Not only are new guidelines and regulation needed, but the approach of comparing and evaluating providers for the purpose of consumer choice also requires updating. This would require Ofcom, for example, to publish quarterly or annual tables on the best performing providers for data security, just as they currently do for customer service and consumer complaints (which the PwC survey suggests isn’t quite as important to them).

Yet it would also require a similar adjustment from industry analysts and comparison websites, with the likes of RootMetrics, for example, publishing network performance surveys that ought to be complemented by data on how securely providers keep their customers’ data.

While it may be difficult at the moment to obtain reliable information on what precisely providers do to protect personal data, it’s only by compiling such info and subjecting it to rigorous standards that customers will be able to make informed choices as to who they can trust.

By comparing them against clear guidelines on data protection, they’ll be made to compete more effectively on who exactly is the most reliable provider.

More importantly, it’s only by the introduction of standards and frameworks that a mechanism of competition will be brought to bear on telecoms companies and their cybersecurity practices. By comparing them against clear guidelines on data protection, they’ll be made to compete more effectively on who exactly is the most reliable provider.

Through this, overall standards in the industry will be raised, and ultimately it will be customers who’ll benefit the most, since they won’t have to wait for another damaging breach to occur before knowing who they should trust with their data.

Lyndsey Burton, founder of Choose.co.uk, a consumer comparison site.