Leon Neal/Getty Images
show image

Oscar Williams

News editor

O2 4G outage: “Telcos have a lot of work to do on digital certificates,” warns expert

The CEO of Ericsson has revealed that an outage which left millions of O2 customers without 4G access on Thursday was caused by the expiration of a digital certificate.

The incident was resolved by Friday morning, but leaves O2 – one of Ericsson’s biggest clients – with a huge compensation bill, and has thrown light on the telecoms industry’s increasing exposure to digital certification errors.

In a statement, Ericsson CEO Börje Ekholm said “the faulty software that has caused these issues is being decommissioned and we apologise not only to our customers but also to their customers”.

The company said it was taking full responsibility for the incident, but a spokesperson refused, on the grounds of client confidentiality, to confirm whether it would be covering the cost of its partners’ compensation bills.

The number of digital certificates businesses depend upon has proliferated in recent years, and many major enterprises now have to look after hundreds of thousands at any one time to ensure their systems can transfer data securely.

Broderick Perelli Harris, a director at certificate management provider Venafi, warned that the telecoms industry had so far failed to make sufficient progress in keeping its certification in good order.

“We’ve been working with the banks in your wallet for five, six, seven years or more and they’ve taken the secure protection of machine identities very seriously,” he told NS Tech. “From what we’ve seen from the marketplace, telcos are obviously interested but they are having a harder time in engaging and taking a more systematic view of the issue.”

“They may have quite a bit of work in the space to seriously got on top of and in control of the certificates that they have,” he added.

Banks face multi-million pound fines if their services are taken offline by hackers or IT outages, but an Ofcom spokesperson told NS Tech the regulator had no plans to fine O2 or Ericsson. The NIS Directive, EU legislation which governs cyber attacks and outages for critical infrastructure, does not currently cover the telecoms industry in the UK. NS Tech understands that it will be reviewed in 2020 and could then be expanded to cover other sectors.