TalkTalk Cyberattack Threatens 4mn Customers

UK telco TalkTalk has suffered a ‘significant’ cyberattack which has apparently led to a breach of customer personal data. TalkTalk’s websites were subjected to a sustained DDoS attack, which may have been cover for a more elaborate hack of customer data. TalkTalk is warning customers that their banking details may have been compromised. The business is working with police to investigate the attack, and is promising that all customers will receive one year’s free credit monitoring to mitigate the risks to them.

In response to the news, TalkTalk’s share price dropped 10 percent during Friday’s trading on the London Stock Exchange.

All TalkTalk’s websites were taken down during the attack, though they are now back up. Their webmail service was also interrupted.

A Russian Islamist group claimed responsibility for the attack, posting what looks like personal data online. This claim has yet to be verified.

This latest incident compounds TalkTalk’s terrible reputation for security. Earlier this year the theft of TalkTalk customer data resulted in a surge of malicious scams.

TalkTalk initially warned that all of its 4 million telephony and broadband customers may have been affected. CEO Dido Harding appeared on national news in a desperate bid to warn customers about the ramifications. However, she was rightly lambasted by the BBC’s news anchor.

Anchor: “How weak are your security systems?”

Harding: “Can our defenses be stronger? Absolutely. Can every company’s defenses be stronger? But to put it into context, there were 625,000 cyber offenses in the UK, just each month this summer.”

What kind of excuse is that? If there is lots of cybercrime taking place, that is a good reason to tighten security, not to be complacent about it! And if you know your defenses could be stronger, then make them stronger before you get attacked!

Later TalkTalk announced that the attack was ‘smaller’ than originally feared, and that only partial credit card details had been compromised. In short, whilst data had been taken from their website, other systems had not been hacked.

There are some signs of serious complacency in TalkTalk’s approach to cybersecurity. Some media reports suggest the hackers used SQL injection, a common technique that sophisticated businesses should guard against. Though TalkTalk launched a media barrage to try to reassure customers (and steady their share price), some of the information they shared with customers confirmed there are weaknesses in TalkTalk’s security. For example, the update on TalkTalk’s website states:

Not all of the data was encrypted. We constantly review and update our systems to make sure they are as secure as possible. We’re working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future.

In short: not all of the data was encrypted. Then: waffle waffle constantly review security waffle waffle police and experts waffle waffle we will try to do better in future. Take away the waffle, and we are all left with one straightforward question: why the heck did TalkTalk fail to encrypt personal data? Sadly, we already know the reason why: because encryption is a computationally demanding process, so it is cheaper not to bother.

TalkTalk has made strenuous efforts to inform customers about the attack, using social media and their website as well as appearing on television news. However, a cynic would argue this is motivated by damage limitation, not a genuine desire to warn customers. As TalkTalk’s websites had been pulled down for a prolonged period, they had to give some kind of public explanation of what happened.

In a subsequent development, CEO Dido Harding said she had been contacted by a group purporting to be the hackers, and that they had demanded a ransom. However, I think it shows poor judgment that this has been disclosed. Instead of distracting attention by mentioning what may be a opportunistic hoax, the focus should remain on why it was possible to compromise TalkTalk’s security. Nobody likes a criminal, but the CEO needs to talk about the matters she is responsible for – security, or the lack of it – instead of gossiping about the possible motives for a cyberattack.

Let me finish my responding to some of the excuses offered by CEO Dido Harding:

We’re a victim of crime here…

…I’m a customer myself of TalkTalk, I’m a victim of this attack.

No Dido Harding, you are not a victim of crime. Your customers are victims of crime; you are only a victim of your own complacency.

Dido Harding saved some money by cutting corners on security. Now her shareholders have suffered a much greater loss than could ever be recouped by reducing TalkTalk’s security budget. If the banking details of 4 million customers have been breached, then the amounts they will lose might also dwarf the cost of robust security.

TalkTalk’s CEO represents a managerial class that wants to make money by being online, but instead of investing in the armor needed to protect their businesses from attack, they prefer to huddle like sheep with other complacent business leaders. Meanwhile, the cyberwolves stalk them all. With tedious regularity we learn of yet another big business being compromised by hackers, and each time we hear the same excuses. Like sheep, their only strategy is to allow one or two to be savaged so the rest can continue as if nothing needs to change.

It is an insult for Dido Harding to call herself a victim. She has a solemn responsibility to protect the value of the company owned by her shareholders, and to protect the personal information of her customers. Talk is cheap. Platitudes about ‘working tirelessly’ and ‘the crimes of this generation’ are examples of empty talk. To protect data, businesses like TalkTalk need to spend more money on security. There is nothing else to say on this subject.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.