TalkTalk Cyberattack Threatens 4mn Customers

UK telco TalkTalk has suffered a ‘significant’ cyberattack which has apparently led to a breach of customer personal data. TalkTalk’s websites were subjected to a sustained DDoS attack, which may have been cover for a more elaborate hack of customer data. TalkTalk is warning customers that their banking details may have been compromised. The business is working with police to investigate the attack, and is promising that all customers will receive one year’s free credit monitoring to mitigate the risks to them.

In response to the news, TalkTalk’s share price dropped 10 percent during Friday’s trading on the London Stock Exchange.

All TalkTalk’s websites were taken down during the attack, though they are now back up. Their webmail service was also interrupted.

A Russian Islamist group claimed responsibility for the attack, posting what looks like personal data online. This claim has yet to be verified.

This latest incident compounds TalkTalk’s terrible reputation for security. Earlier this year the theft of TalkTalk customer data resulted in a surge of malicious scams.

TalkTalk initially warned that all of its 4 million telephony and broadband customers may have been affected. CEO Dido Harding appeared on national news in a desperate bid to warn customers about the ramifications. However, she was rightly lambasted by the BBC’s news anchor.

Anchor: “How weak are your security systems?”

Harding: “Can our defenses be stronger? Absolutely. Can every company’s defenses be stronger? But to put it into context, there were 625,000 cyber offenses in the UK, just each month this summer.”

What kind of excuse is that? If there is lots of cybercrime taking place, that is a good reason to tighten security, not to be complacent about it! And if you know your defenses could be stronger, then make them stronger before you get attacked!

Later TalkTalk announced that the attack was ‘smaller’ than originally feared, and that only partial credit card details had been compromised. In short, whilst data had been taken from their website, other systems had not been hacked.

There are some signs of serious complacency in TalkTalk’s approach to cybersecurity. Some media reports suggest the hackers used SQL injection, a common technique that sophisticated businesses should guard against. Though TalkTalk launched a media barrage to try to reassure customers (and steady their share price), some of the information they shared with customers confirmed there are weaknesses in TalkTalk’s security. For example, the update on TalkTalk’s website states:

Not all of the data was encrypted. We constantly review and update our systems to make sure they are as secure as possible. We’re working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future.

In short: not all of the data was encrypted. Then: waffle waffle constantly review security waffle waffle police and experts waffle waffle we will try to do better in future. Take away the waffle, and we are all left with one straightforward question: why the heck did TalkTalk fail to encrypt personal data? Sadly, we already know the reason why: because encryption is a computationally demanding process, so it is cheaper not to bother.

TalkTalk has made strenuous efforts to inform customers about the attack, using social media and their website as well as appearing on television news. However, a cynic would argue this is motivated by damage limitation, not a genuine desire to warn customers. As TalkTalk’s websites had been pulled down for a prolonged period, they had to give some kind of public explanation of what happened.

In a subsequent development, CEO Dido Harding said she had been contacted by a group purporting to be the hackers, and that they had demanded a ransom. However, I think it shows poor judgment that this has been disclosed. Instead of distracting attention by mentioning what may be a opportunistic hoax, the focus should remain on why it was possible to compromise TalkTalk’s security. Nobody likes a criminal, but the CEO needs to talk about the matters she is responsible for – security, or the lack of it – instead of gossiping about the possible motives for a cyberattack.

Let me finish my responding to some of the excuses offered by CEO Dido Harding:

We’re a victim of crime here…

…I’m a customer myself of TalkTalk, I’m a victim of this attack.

No Dido Harding, you are not a victim of crime. Your customers are victims of crime; you are only a victim of your own complacency.

Dido Harding saved some money by cutting corners on security. Now her shareholders have suffered a much greater loss than could ever be recouped by reducing TalkTalk’s security budget. If the banking details of 4 million customers have been breached, then the amounts they will lose might also dwarf the cost of robust security.

TalkTalk’s CEO represents a managerial class that wants to make money by being online, but instead of investing in the armor needed to protect their businesses from attack, they prefer to huddle like sheep with other complacent business leaders. Meanwhile, the cyberwolves stalk them all. With tedious regularity we learn of yet another big business being compromised by hackers, and each time we hear the same excuses. Like sheep, their only strategy is to allow one or two to be savaged so the rest can continue as if nothing needs to change.

It is an insult for Dido Harding to call herself a victim. She has a solemn responsibility to protect the value of the company owned by her shareholders, and to protect the personal information of her customers. Talk is cheap. Platitudes about ‘working tirelessly’ and ‘the crimes of this generation’ are examples of empty talk. To protect data, businesses like TalkTalk need to spend more money on security. There is nothing else to say on this subject.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.
  • Nixon Wampamba

    Thanks Eric for this detailed account. I was shocked when I landed on Sky News at the time the CEO was being interviewed. It seemed she had no idea what had occurred and had not been prepared by her legal team at all.

    Companies need to ensure they protect customer data at all cost, and it is about time they took these breaches seriously and make it harder for this type of hack.

    Personally, i think there is a disgruntled employee at the end of this rope, the company just needs to look they will find him or her.

    • Nixon, you make a great point. Businesses prefer to talk as if the only threats come from outside, but that’s desperately naive. Unhappy employees are an enormous source of risk. TalkTalk failed to encrypt data, but hard encryption is a protective measure that defends data even from internal threats.