Last week, TalkTalk announced they had been subjected to a ‘significant and sustained’ cyber attack, which potentially affected all of their 4m customers. Little more information followed, although the CEO, Dido Harding, made multiple media appearances and attempted to answer questions on (what became apparent was) little knowledge.
I was on Five News on Friday evening talking about how the attack might have happened. Since that time, a 15 year old boy from County Atrim has been arrested in connection with the attack, under the Computer Misuse Act. As I said on Five News, it seems most likely that the attack was carried out by a SQL injection, whereby attackers take advantage of a flaw in the website to access a database behind it and exfiltrate data using code. It definitely was not carried out by a Distributed Denial of Service (or DDoS) as talktalk’s CEO initially claimed, in which attackers flood the website with traffic until it can’t cope with demand and goes offline. Attackers usually use botnets to do this, which are networks of computers used to direct traffic at the site. If you inadvertently download malware on your machine, for example by clicking a dodgy link, your machine could be used as part of a botnet without you necessarily realising it. It could be that the attackers used a DDoS to distract talktalk while they carried out the actual attack on their data (which we’ve seen before) but it is technically impossible to extract data using a DDoS.
I was then on Sky News on Saturday evening responding to a statement released by Dido Harding that day, in which she said that the attack was not as damaging as first thought. Credit card data had the middle six digits redacted and the database attacked was not the main customer payment one and so 400,000 customers had been affected, rather than all of the 4 million customers. However, personal data was still stolen, as were bank credentials. Identity fraud is a huge problem for the UK and a profitable business for organised crime. Having your bank credentials rather than credit card details stolen is harder for criminals to steal money from, but not impossible as Jeremy Clarkson will attest. You also can’t change your bank credentials without opening a new account, whereas you can of course block your credit card and order a new one. And, of course, changing your personal information isn’t really an option (I for one don’t want to move house purely because of a data breach).
The CEO of TalkTalk has been widely criticised for her media appearances, and understandably so when she failed to answer basic questions such as whether the data was encrypted. Further alarm bells sounded when she attributed the data exfiltratation to a DDoS, claimed that TalkTalk have not breached the Data Protection Act because the information was stolen and described a sql injection as a sequential injection. Getting so many details wrong prompts the question of who is providing her technical and compliance advice, and reinforces the impression that TalkTalk are not as technically capable or informed as one would expect of any company, let alone a telco. I would say that her making so many media appearances to speak to customers is to be commended, I agree with Rik Ferguson that a CISO would have probably been more appropriate and informed. As Rik points out, if TalkTalk had a CISO they would have likely had better security in place and been more prepared for an attack.
Sky News also asked me the extent to which this is a problem for all organisations and whether we should, effectively, just go offline because security is so bad. This is a problem for all organisations, large and small, and is costing UK business at the very least £4.1 million a year. Cyber crime is now the most common crime in the UK and as such our organisations need stronger defences, people need to be better informed about minimising online risks and our police forces need far more resources. However, even the most cynical information security professionals still use the Internet. They bank online, shop online and use social media – but they do it all in a security-conscious way.
Last week I wrote a blog post advising companies of my top security tips. For individuals concerned about their personal and financial data, these are some of my recommendations:
- Use a credit card, one credit card, to do all of your online shopping. That way you can track payments much easier and if the card is defrauded, the bank will take the hit.
- Check your bank statements regularly for unusual payments and call the bank if you’re concerned. If you’re a TalkTalk customer and you’re worried, speak to your bank about what they can do to monitor your account and block any large or unusual payments.
- Watch out for phishing emails or calls in the wake of this (and all) data breaches. Criminals often use breaches like this to carry out more scams – TalkTalk, banks, and any reputable company will not send you an email or call you asking for login, payment or account details. If you receive any communication you’re not sure of, you can always get the company’s customer service number from another source (for example, one of your latest bills or their website, but not from the email or call you’re concerned about) and phone them to check. It’s always better to be safe than sorry.
- Don’t click on links or download attachments that you’re not expecting or from people you don’t know.
- Use strong, unique passwords and, given the challenges with that, consider password management software.
- Use two-factor authentication wherever possible.
Perhaps most importantly, as consumers, we need to demand more from organisations and hold them to account. Reports that TalkTalk customers are being charged a £250 penalty to leave are disappointing (although probably not surprising). TalkTalk must be very worried about the reputational damage that this attack is wreaking, the lack of trust it is engendering among consumers and the impact of this, namely losing customers and profit. TalkTalk have already lost £360m in value in the wake of this attack, there is talk of huge compensation payouts and calls for Harding’s resignation. To some extent, companies will only truly take security seriously when it becomes a competitive advantage. Until organisations feel that security is a way to win or lose customers, they generally see it as a sunk cost. Too often it is only when they’re trying to weather the storm of an information breach (i.e. when it is too late) that organisations recognise the true value of information security – as Dido Harding would no doubt confirm this week.