The Indian Computer Emergency Response Team (CERT-In) has confirmed a significant data breach at Bharat Sanchar Nigam Limited (BSNL), a government-owned telecom operator. This confirmation follows reports that hackers were selling 278 GB of sensitive BSNL user data, including IMSI (International Mobile Subscriber Identity) numbers and SIM (Subscriber Identity Module) card information. The hack was revealed after the stolen data appeared for sale on the dark web for $5,000 (approximately INR 4.17 lakhs). Minister of State for Communications, Chandra Sekhar Pemmasani, disclosed this information in response to a query from Congress MP Amar Singh in the Lok Sabha.

Root Cause Analysis:

The breach occurred due to a vulnerability in the FTP (File Transfer Protocol) server, which allowed attackers unauthorized access to sensitive information, such as IMSI numbers and SIM data. CERT-In identified that one FTP server contained data similar to the breached sample. The attackers exploited this vulnerability to exfiltrate the data. The breach was not detected early, despite rumors of a potential breach circulating since June. In response, BSNL has implemented measures such as changing access passwords for all FTP servers and enhancing endpoint security.

Impact of the Breach:

The stolen data can provide hackers with an entry point into BSNL’s networks, potentially enabling them to clone SIM cards, intercept communications, access private information, and disrupt services. This breach also paves the way for phishing attempts.

Enhancing FTP Security:

Using FTPS or SFTP: FTP transfers data in plain text. It is essential to use FTP over SSL/TLS (FTPS) or SSH File Transfer Protocol (SFTP) to ensure data security.

Encryption: Encrypt data stored on the FTP server and securely manage encryption keys to safeguard confidentiality.

Access Control: Implement strict access control measures, using the principles of least privilege and separation of duties to prevent unauthorized access.

Monitoring and Logging: Utilize tools like Security Incident and Event Management (SIEM) to log and monitor activities within systems.

Network Security: Implement network security measures such as Intrusion Detection and Prevention Systems (IDPS) and firewalls.

Regular Updates: Keep critical servers and systems updated with regular security patches.

Suggested Measures for Users:

Monitor Credit Services: Regularly monitor credit reports and report any suspicious activity immediately.

Enable Two-Factor Authentication: Implement two-factor authentication and change passwords to stronger ones.

Spam Protection: Enable spam protection features on various platforms and be vigilant about suspicious emails, blocking them immediately.

Recommendations:

Third-Party Risk Management: Ensure third parties maintain an acceptable level of security, which can be enforced through service level agreements (SLAs).

Employee Awareness Training: Conduct regular awareness and training sessions to keep employees informed about security best practices.

Updating Security Policies: Regularly assess and update security policies in response to the changing technological landscape.

Robust Incident Response Plan: Maintain a robust incident response plan to effectively deal with security incidents.

Continuous Monitoring: Utilize threat intelligence services to stay informed about emerging threats and vulnerabilities, and implement continuous monitoring systems.