The Background to the cyber breach
• TalkTalk customer base 4 million users
• 21 October 2015 attack resulted in 157,000 individual personal records being compromised, with 16,000 bank and sort codes accessed and 28,000 tokenised credit card numbers.
Who was to blame?
Well obviously from a criminal point of view, there were actually five people known to be involved, four of whom were teenagers who have been arrested by the police. However in truth, the real culprit is TalkTalk, in their failure to protect the data of their customers and learn the lessons from previous breaches across the preceding 12 month period.
So what are the lessons learned from this high profile cyber attack for all UK businesses and organisations regardless of size?
All businesses should expect to be breached. TalkTalk failed to plan ahead despite the experiences of each breach:
Action 1: Arrange for a full security review (pen testing, social engineering checks, dumpster diving (ensuring your confidential waste is disposed of properly), remote access connections, patch management etc..
Talk the Tech Talk
Disconcertingly for a company which reported gross revenue in 2014 of £1.7 billion ($2.65 billion), TalkTalk failed to invest sufficiently firstly in information security specialists and secondly, the technology to help withstand breaches.
Action 1: Ensure that your Board’s PR spokesperson has had media training and uses the right technical terms (“sequel” being mispresented for SQL”
Action 2: Ensure that nothing is revealed by a representative of your organisation going on camera (whether video or still) that discloses anything about your company or your technical infrastructure. A simple look up of the Open Web Application Security Project (OWASP) a not for profit software information sharing website, which would have given TalkTalk the heads up to correcting the latest threats and vulnerabilities
Know your network and understand security
Much of the public distress about this high profile cyber attack was that no-one in the management team could confirm whether the stolen customer data had been encrypted.
Action 1: Ensure that a member of the Board understands data security, comprehends and can talk about Cloud – and understands the technical infrastructure of the organisation.
Speak the truth
In the TalkTalk scenario, the CEO claimed that they were “head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones.”
This fell on ‘stony ground’ for Dido Harding when she said this to The Sunday Times and that under the U.K.’s 1998 Data Protection Act, TalkTalk was “not legally required” to encrypt customer data. If the customer is a victim of a cyber attack, the deed is done and that bond of trust is forever damaged.
Respect your customer’s data as being your crown jewels
The Data Protection Act 1998 requires a duty of care of the organisation’s data controller to look after everyone’s data – their own and that held by them of their customers.
With the value of data for cyber criminals increasing with every strand of personal detail, criminals can profit from many types of customer data. This does not have to be actual credit card or bank details, it can be any Personal Identifiable Information (PII), that when pieced together, forms a profile of the individual which the criminal can then sell on to 3rd parties.
Whilst there is no current UK legislation yet to mandate businesses and organisations to encrypt their data irrespective of the type of business, it is an easy preventative software step in order to protect your organisation. This simple move could save your organisation embarrassment and potentially millions of pounds in lost revenue – but critically, lost trust.