TalkTalk hacking – what they don’t teach you at Harvard

An estimated 4 million TalkTalk customers had their personal data stolen in what was the biggest known data breach in Europe in 2015. To help the retail C-suite brush up on online risks, here are our top 9 commonly held misconceptions about the state of cyber security at UK consumer companies.

talktalk-ceo-dido-harding

  1. Once the company suffers a significant breach, the CEO gets fired and the Information Commissioner’s Office (ICO) slaps a heavy fine on the organisation, causing it to sit up and fix its problems.

Wrong. TalkTalk was third time “unlucky”, as the company had already experienced two hacks, most recently with a breach of 500,000 customers’ data in August 2015, as part of a hack that affected 2.5 million Carphone Warehouse customers.

Dido Harding, the CEO, then appointed BAe Systems and farmed out cyber security to an external company – a vital error, as cyber security is an internal risk culture issue as well as a technical challenge. Perhaps they don’t teach IT risk assessment at MBA courses in Harvard, Dido’s alma mater? No fine was given by the ICO for these previous breaches and TalkTalk continued business as usual, exposing customers’ data to a new hack.

 

  1. Customers’ data is held encrypted and secure.

Wrong. TalkTalk has admitted that customers’ names, addresses and bank account details were held unencrypted and it might have been lacking in PCI compliance. In most big UK retail companies the same is true, and management’s eyes glaze over when you mention cyber security risk management. The company’s defence was that only part of the credit card number was stolen, so the hack was “not as bad as originally thought”. Needless to say, a full toolkit for fraud needs only bank account information and address.

In addition, the safety of customers’ phone logs is being questioned, so these logs are likely to surface on the dark net in the not too distant future, as with the Ashley Madison cheating scandal. Unfortunately it seems that CTO (Chief Technology Officer) Gary Steen got too excited about the future, with the Internet of Things and his new fibre networks taking his eyes off today’s priorities, which is protecting customers’ personal data.

 

  1. Big companies in the UK have an excellent record of looking after customers’ data.

Wrong. Most big UK companies are cheapskates and do the minimum necessary, which, legally, is only encrypting credit card numbers, customer names and expiry dates. Your address, bank details and purchase records do not legally require encryption, although best practice and common sense (particularly if you have been hacked already, like TalkTalk) indicate everything should be encrypted by defaultRead more about PCI (Payment Card Industry) and what it means.

 

keyboard1-680x383

  1. IT departments in big companies have a process for following identified fixes (patches) for discovered software vulnerabilities.

Wrong. The TalkTalk hack involved SQL injection – a technique where a malicious code is injected into a data-driven application to instruct the system to steal customers’ data. The technique is as old as the hills and was mentioned in Phrack (a hacker’s mag) back in 1998 when I was a wee techie lass at Cyberia Café. The fix for the technique is simple and widely known. TalkTalk not being on top of the SQL injecting fix shows that something has gone very wrong at Dido’s ranch. Lack of a Company Information Security Officer in the TalkTalk organisational chart, despite it being in the top five targeted companies in the UK, says it all.

 

  1. Cyber security is an important job and the experts have a high level of respect and a clear career path.

Very wrong. Cyber security is seen as a job that sits somewhere between boiler maintenance and air-con support, with the air-con getting a lot more attention (particularly during a hot summer). In most big UK companies cyber-techies are like children in the Victorian era – best seen but not heard, expected to maintain IT with no budgets, no career paths, no proper training (they should train themselves whilst hacking other companies for practice) and getting much less respect than the lowly intern doing the brand’s social media.

 

  1. UK companies like TalkTalk and the ‘big four’ banks have a strong risk assessment and internal risk protection culture, valuing customers’ data.

Wrong. Only last week I was visiting one of the big banks in the UK and saw a number of post-it notes with passwords stuck cheerfully on the PCs on the trading floor. As a recent survey found, one in five workers share their passwords with the team, and one in seven would sell the password if asked.

 

Internet Security System

 

  1. The government gives commercial companies in the UK a high level of support in the arms race against the global army of hackers, thanks to the appointment of Joanna Shield (ex Facebook exec) as Internet Security Minister. It is assumed that the businesses will be prepared and given the right level of attention in their fight to protect their customers. Right?

Wrong. Since taking on the job, Shield, a Conservative Baroness, has focused only on children’s online safety, which although commendable does nothing for commercial organisations’ state of preparedness for cyber attacks or preventing competitive loss in global markets. The role commands such heights of respect from the government that it is in fact…unpaid. Despite an increase of 23% in hacking instances since 2013 and billions of pounds lost, the recognition of the issue by the government has been conspicuous by its absence.

 

  1. UK companies do not sell customers’ data unless the customer has opted in for 3rd party mailings, as the cyber security of data is sacrosanct for management teams.

Wrong. Only a few days ago, the NHS-approved Pharmacy2You was found selling highly intimate customer emails and data on the open market, without customers’ agreement. The ICO fined the company £130k for malpractice. Even more concerning is the fact that nobody mentioned that to their internal IT team, who were apparently not aware of the practice of selling data without an opt-in by customers.

 

  1. It is really hard to hack into UK big brands’ customer databases.

Wrong. The culprit in the TalkTalk case turned out to be a 15-year-old Irish boy. Also, the number of tools for ‘unskilled hacking’ have been easily available online for all and sundry to pick up for free by millions of hackers in Russia, India and the Middle East – three big sources of online crime. Ignore them at your peril. Dido Harding, the hapless TalkTalk CEO stated, “we have gold security standards”. As someone commented on Twitter, in the circumstances the company would be well advised to upgrade to platinum before its 4 million customers walk away.

 

It’s high time your company carried out a cyber security audit before hackers get you. Email us to schedule a penetration test or risk assessment audit.