TalkTalk – What lessons can we learn?

Posted on

Now that the dust has settled on the data security breach suffered by TalkTalk, we look back at the fundamental mistakes made by TalkTalk leading up to and following the data breach and what this cyber-security breach may mean for the company.

Background

On 21 October 2015 TalkTalk suffered a distributed denial of service attack (DDoS) on its website.  The website was hit by waves of traffic which overloaded the security systems and distracted TalkTalk's defence team, while the hackers accessed the network and downloaded customer data. Originally, it was reported that 4 million of its customers had been affected but this figure has now been revised to 157,000.

But what steps could TalkTalk have taken to prevent this cyber-security breach and how should they have responded to the loss of their customers' data?

Lack of Preparation

You may have read our recent article “Data Security Breaches: Are you prepared?which was published before the TalkTalk data security breach. In this article, we highlighted the importance of preparing for a data security breach, including:

  • ensuring personal data is protected by appropriate technical and security measures;
  • having a data security breach action team who are adequately trained in dealing with data security breaches; and
  • having a clear and detailed cyber incidence response plan.

TalkTalk came under criticism when it was revealed that the customers’ personal data was not encrypted. Although it is not a panacea, encryption is a relatively easy and cost effective technical and security measure to implement that can add a level of protection. TalkTalk also admitted to a lack of compliance with web security standards for credit card payments and data handling as well as failing to cryptographically segment its security system into fragments, which may have prevented hackers from accessing the wider system.  

This was the third cyber security attack on TalkTalk this year, and it seemingly did nothing to implement further protection of its customers’ personal data following those first two attacks, despite warnings from a security consultant in September, who warned the company about their below standard cyber-security protection.

Lack of Response

Our article also covered what steps to take immediately following the realisation that your company has suffered a cyber-security breach. We recommended that your data security breach action team should be well trained to quickly and decisively handle the effects of any cyber-security breach. This includes notifying the relevant parties, depending on the seriousness of the breach.

Given the potential scale of the scale of the cyber-security breach (it was originally anticipated that 4 million customers had data stolen), Christopher Graham, the Information Commissioner, has criticised TalkTalk for posting a notice of the attack on the Information Commissioner’s Office website at 4.30pm on Thursday, rather than notifying him directly with a phone call. It took another five and a half hours for TalkTalk to make the news of the attack public, with a statement released on its website at 10pm.

TalkTalk was also criticised for its slow response when providing support to its customers to help mitigate the impact of the personal data breach. If customers had been notified sooner and given clear details about the extent of the breach they could have taken the necessary precautionary measures to prevent further loss, such as changing their log in details for online banking.

Impact on TalkTalk

In the wake of the news of the cyber-security attack, TalkTalk’s company share price dropped by 10% during the first few hours after the London stock exchange opened. Dido Harding, TalkTalk’s CEO has estimated that the data security breach could cost the company between £30 – 35 million. This figure includes the cost to the business of responding to the incident, the incremental calls into the call centres, additional IT and technology costs, and the fact that the website has been down for a prolonged period. The Information Commissioner has yet to release details of the fine it will inevitably impose on TalkTalk, but this could be as much as £500,000.

The reputational impact on TalkTalk is much more difficult to quantify and only time will tell whether new customers are put off joining TalkTalk and whether existing customers will leave. In an attempt to persuade its existing customers to stay, TalkTalk has at a considerable expense to the company offered free upgrades to all customers and not just the ones that were affected.

Impact on the Telecoms Industry

On 3 November it was announced that the Culture, Media and Sport Committee launched an inquiry into cyber security following the recent cyber-attack of TalkTalk's website to determine what the wider implications are for telecoms and internet service providers. In particular, the committee is interested to receive opinions on the following:

  • the nature of the cyber-attacks on TalkTalk’s website and TalkTalk’s response to the attack;
  • the robustness of measures telecoms and internet service providers are putting in place to maintain the security of their customer’s personal data (including details regarding the level of investment);
  • the nature, role and importance of encryption in protecting personal data;
  • the adequacy of the supervisory, regulatory and enforcement regimes in place to ensure companies are responding sufficiently to cyber-crime;
  • the adequacy of the redress mechanisms and compensatory measures for consumers;
  • likely future trends in hacking, technology and security.

The deadline for submitting written submissions expired on 23 November and we await the Committee’s report on its findings.

Conclusion

The cyber-security breach suffered by TalkTalk is just another reminder of the significant impact that a cyber-security breach can have on a company. It also highlights that cyber-security breaches can be prevented and the effects mitigated if a business is willing to implement the steps identified in our previous article. As a minimum, this includes maintaining up-to-date and robust technical and organisational processes to protect your data and plan and prepare your organisation in readiness for a breach. 

For further information regarding how you can prepare your business for a cyber-security breach, contact Luke as below.