Information security violations and threats detected by telecommunications operators

Telecommunications operators constantly monitor information security in their communications networks and services and address information security incidents detected in their customer connections or services. Telecommunications operators detect and address hundreds of thousands of different information security incidents per year. Traficom collects regular statistical data on such information security measures by telecommunications operators

The graph above shows the total number of information security incidents addressed by telecommunications operators per year. The number of incidents decreased from 2014 to 2016 but has since then grown at an increasingly rapid rate. In 2013–2014, one telecommunications operator had technical difficulties in informing its customers of malware infections, which led to an increase in the number of cases addressed by operators in those years.

Since 2016, the number of incidents has grown each year. This is partly due to the increasing number of malware infections (e.g. Mirai) in home routers and IoT devices (see also the statistics on malware detected by Traficom). However, the main cause of growth in incident numbers since 2019 has been the fact that some of the largest telecommunications operators have changed the way they compile statistics. There are no detailed regulations on how statistics on information security incidents should be reported, and operators compile their statistics as they see fit.

In addition to monitoring information security incidents in general, telecommunications operators report to Traficom significant information security violations or threats of such violations. When assessing the significance of a violation or threat of such violation, key issues include the protection of the rights of subscribers and users, the operability of the service and the extent of the affected geographic area. Traficom receives reports of significant incidents once or twice a month on average.

The majority of significant information security incidents reported by telecommunications operators involves data breaches into information systems or unauthorised use of such systems, vulnerabilities in the systems of telecommunications operators, or large-scale denial-of-service (DoS) attacks made via the networks of telecommunications operators.

The incident types are presented as percentages since one information security violation or threat may have several causes.

In addition to significant information security incidents or threats, telecommunications operators report all personal data breaches to Traficom. Personal data breaches refer to situations where personal data of at least one person is destroyed, lost, altered or disclosed to other parties accidentally or without authorisation.

The number of reports on personal data breaches has increased intensely in recent years. It is unlikely that the number of personal data breaches, as such, is growing. Instead, telecommunications operators are now better aware of the situations considered as personal data breaches and that all such situations must be reported.

The most common type of personal data breach is the mismanagement of customer data. In such cases, a telecommunications operator processes its customers’ personal data erroneously, which leads to disclosing one customer’s personal data to another customer. For example, a customer who is ordering a new subscription accidentally receives a copy of the subscription order of the customer served before them. There may also be cases where a customer wants to postpone the due date of an invoice and contacts their operator by phone or chat, but a wrong phone number is saved in their contact details, so a confirmation text message of the postponement is sent to another customer.

The graph above illustrates the different types of personal data breaches. The incident types are presented as percentages since one incident may have several causes