Stealing data via a desktop telephone?

Data protection is a hot topic. In many countries worldwide new data protection laws are implemented. These laws are created to ensure that personal data as stored and processed by companies and organizations will be protected against theft and modification.

A well-known example is the General Data Protection Regulation (GDPR) as approved by the EU last year, which will become active in 2018. It will become law in all member countries. It is not a directive which can have different interpretations and timelines per country but will be the same law in all member states.

Data protection regulation is relevant when data can identify or provide information about a specific person. Personal data can be anything. Names, addresses, etc. of course. But also photos, financial documents or medical data. And – taking the European laws as an example – not just for the data owner, but also for third parties processing the data (e.g. cloud service providers) on his behalf. It also means that most regulation crosses international borders. The EU regulation applies to all companies who process personal data of European citizens.

What does data protection regulation cover? Typically, companies need to have a proper administration of which data are stored where (including local spreadsheets with customer data). They also should make it possible for customers to have their data erased and the design of their systems should guarantee data protection (called ‘privacy by design’). Finally, they have to inform the regulator and public about data breaches that occurred and penalties are increased to the level which can mean a serious financial risk for a company.

However, it is not just about your data infrastructure

Of course, everything is data nowadays. Also, voice telephony is a data service, and that is specifically the case for VoIP infrastructures and services as deployed in many companies and organizations. We noticed however that the key focus of many data protection projects is on traditional ICT infrastructures. VoIP is often a blind spot.

While…it is also about voice communications

Ignoring VoIP could mean a serious mistake, however. Let’s have a look for example at a medical institute. Patients definitely don’t like the idea that their information becomes public. Nevertheless, the phone can provide easy access to these data. First of all, a modern desktop telephone provides access to the complete contact list of the user of that extension. A customer list, or – in the medical institute – the list of patients for example. This is just a beginning. The desktop phone also gives direct access to the voicemail system, which may disclose some very sensitive information. For example, if one medical specialist shares his diagnosis with a colleague. The biggest risk is however that office phones are the perfect social engineering tool. If someone has unauthorized access to a business telephone, just his caller ID makes him a trusted person to other employees of the organization as well as staff from other organizations. This trusted personal contact is the best way to acquire sensitive information and other personal data.

So, are your business telephones secured?

Most people think that advanced business desktop telephones can be secured by a PIN or something similar. Which is true. However, this security is often not used. The security mechanism most of the time means that employees have to enter a username (for example an email address) and PIN via the very basic keypad of their telephone, which is a very inconvenient procedure. So in many occasions, once logged in, people keep their phones logged in as long as possible. Or the login mechanism is disabled completely. There are examples of professional service managers actually giving such advice to their end-users.

The impact is that many office telephones provide open access to private and other sensitive data. Not at a level that millions of customer or patient records can be downloaded at once. But still, via the telephone, private documents and other information can be stolen from your organization right now. Therefore, protecting your office telephones may be an essential step in your companies data security plans.