On Friday, as the whole TalkTalk hacking was blowing up in a big way, I sat down to write an article about the fiasco, if fiasco is a strong enough word to describe the mess TalkTalk find themselves in. The problem is that every time I managed to write a bit the story had once again changed. As with many things however, the more you sit and watch it, the more you recognise patterns. Two such patterns that have come out of this debacle are:
- Here’s another company that has failed to invest in Information Security;
- The CEO – Dido Harding has been taking business lessons from Gerald Ratner.
“Your mistakes don’t define you, how you handle them does”
To paraphase the famous quote, show me a company that doesn’t have incidents and I’ll show you a company that doesn’t do anything. According to the 2015 Information Security Breaches Survey, large businesses suffered a median average of 14 breaches in 2014. The complexity of modern IT systems virtually guarantees that they will have vulnerabilities, known or otherwise. Of these, some can be defended against, and some cannot. Good security assurance is the key to understanding your vulnerabilities and managing them. This should be coupled to a mature security governance function that ensures you’re accurately reporting the risk your technology landscape presents. Doing something about information security risk on the other hand requires the support of the entire organisation from the shareholders and the board, down through management, and of the staff on the ground. It would appear that TalkTalk has done none of this.
Had it turned out that TalkTalk had been attacked by a nation-state sponsored piece of malware written using a combination of zero-day vulnerabilities then there may have been cause for some sympathy. Instead it appears they were done by a SQL Injection attack. Potentially while being distracted by a denial of service attack. Along with Buffer Overflows, SQL Injection is one of the simplest of attacks, and is also so well understood that any half decent developer can prevent them, and any half decent penetration tester should be able to find them. As such, there’s no excuse for SQL Injection vulnerabilities being the source of breaches. Also inexcusable, but less relevant in this case is the fact that TalkTalk failed to encrypt the data on their systems. I say less relevant, because encryption only prevents the data being accessed at rest, or captured as it travels across the network. If on the other hand you can compromise the display mechanism, then you can have as much encryption as you want, and your web server will still merrily display the data.
Where TalkTalk really fall down however is how they handled the attack after it happened. Re-read the start of the article. The narrative kept changing which suggests that TalkTalk didn’t keep in control of the situation. It would be expected that a company the size of TalkTalk would have an effective incident response plan. However, it appears that keeping the team communicating with the public and the media were not kept up to date with what was going on – either that or they volunteered far too much information. As a rule of thumb, when it hits the fan, the first thing to do is turn the fan off. Next, there’s no point standing there saying nothing’s wrong when everybody can see the mess around you – so admit you’ve had a problem. After this point, only release facts that you know aren’t subject to change. Don’t speculate publically. Don’t provide half answers. Get your dates right. In TalkTalk’s case, they went public on the Thursday, having discovered the problem the day before. Then victims, allegedly defrauded in relation to the TalkTalk hack come out and say it happened the weekend before. Result is, the company looks foolish at best, and complicit at worst.
“SHUT UP and STOP DIGGING”
Talking of looking foolish, I’m inclined to shout the message above as loud as possible. When you find yourself in a hole, please just SHUT UP. Dido Harding, the CEO of TalkTalk, having just suffered a major breach felt that the best thing to do would be to stick both feet down her throat. To talk about how there would be no general policy of letting people that have lost all confidence in TalkTalk to leave their contracts. To suggest that they had no legal obligation to ensure customer data was encrypted. Leaving aside the arguments as to why such a position seems short-sighted, it’s an awfully effective way to antagonise your current and potential customers – short of sticking up two fingers and saying “up yours”.
Even if she doesn’t care about the hack, or the customers, or the technology, as the CEO she should be concerned with TalkTalk’s share price. Oh dear! At the close last Tuesday the share price sat at 289.60 pence per share, at the same point today, it was 259.90, having hit a low of 229.20p a share yesterday. I personally can’t help but feel that while must of the damage was avoidable, it was compounded by the fact the CEO just didn’t seem to care.
Where now for TalkTalk?
That depends. The story is already old news. A 15 year old boy has been arrested and bailed in connection with the attack. Now the story is starting to fall out of the mainsteam news. Once a story isn’t in the news, the anger most people feel will disappear. In 1991 when Gerald Ratner famously described his company’s products as “total crap”, customers decided to stay away from his shops, and his company nearly collapsed. Potential TalkTalk customers find themselves in the same situation. The future for TalkTalk therefore depends on whether potential customers remember this incident and whether they feel it to be a deciding factor. I’m going to speculate and suggest that it’s unlikely anything will change based on the fact that most people are lazy and apathetic when it comes to changing things such as bank accounts and Internet providers. If I’m right, that’s a shame, as nothing is as likely to drive a push for better information security than a major kicking in the bottom line.