It’s not been a good month for communications giant TalkTalk. You might remember the incident last year, when TalkTalk lost hundreds of thousands of customer records and data to hackers who took advantage of their lax security measures. But that wasn’t the end of it, as TalkTalk customers were dealt another blow in October – they’d been hacked again. This ‘significant and sustained’ cyberattack did a lot of damage to Talk Talk’s brand, one they’ve been desperately trying to recover from ever since. But earlier this month the UK Independent Commissioner’s Office fined TalkTalk £400k for the security failings that allowed this attack to happen.
Despite the fact that this attack happened in 2015, the problems actually went back to 2009, when TalkTalk acquired fellow communications company Tiscali. During the transition of information, TalkTalk failed to investigate its new asset properly. If they had, they would have noticed that three of their newly acquired websites were incredibly vulnerable to attack. The database software they used was no longer supported by the developer, so the security was compromised. A security patch has been issued, but neither TalkTalk or Tiscali had actually applied it. Had this been done, the attack wouldn’t have been possible. As it was, the websites slipped through the cracks, and after an exploratory ‘soft’ attack at the end of 2014, hackers attacked the database again using a technique called SQL injection. In this attack they stole 156,959 customer records all containing sensitive data. Investigations showed that of that number, 15,656 of those customer records had contained bank account details, sparking a panic among TalkTalk and Tiscali customers.
I actually feel that Information Commissioner Elizabeth Denham put it best. In her statement about the incident she said:
‘When it came to the basic principles of cyber-security, TalkTalk was found wanting. Today’s record fine acts as a warning to others that cyber security is not an IT issue; it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.’
This statement absolutely hits the nail on the head. Cyber security is too often labelled as an IT issue, something the other people in the company don’t need to think about. But when a data breach occurs, it’s the brand, the customers trust and day to day operations that is affected. For TalkTalk, this issue has caused a massive downturn in their subscriber numbers and consequently their profits. The company is now having to attempt a major reboot and full rebranding to try and establish themselves as trustworthy in the marketplace. The simple act of not keeping their security systems up to date and failing to install patches on time has caused irreparable damage to the company for the foreseeable future. So next time you think that your business security is IT’s issue, just ask yourself - would you want this to happen to your business?