twitter facebook rss

TalkTalk’s Failure over Incident Response

Posted by on October 29, 2015.

Dido Harding, CEO at TalkTalk

Dido Harding, CEO at TalkTalk

TalkTalk’s incident response has been an unmitigated disaster.

Let’s look at some of the facts…

CEO Dido Harding told the Sunday Times (after earlier admitting that she did not know if the stolen data had been encrypted), “[Our data] wasn’t encrypted, nor are you legally required to encrypt it.” That is incredibly crass. It implies that only the legal minimum security was in place without any consideration for the customers.

And in reality there is further evidence to support this. Robert Schifreen took a look at the TalkTalk code used on its website. He comments,

If you take a look at the TalkTalk web site, and choose the View Source option on just about any page, it’s a tangled mess containing links to literally dozens of additional css and Javascript files. If the front end code is that bad, I suspect that the back-end stuff (which visitors don’t normally see) isn’t particularly neat either.
On SQL Injection

His point is that messy code can easily hide SQLi flaws – and it does indeed seem as if this was the hacker’s or hackers’ entry point. But there’s more. Ilia Kolochenko’s High-Tech Bridge firm offers a remote SSL/TLS PCI and NIST checking service. He ran it against the TalkTalk site – and surprise, surprise… TalkTalk is neither PCI nor NIST compliant.

noddleThe serious implication from this is that TalkTalk’s customers rank very low in their concerns. This is further confirmed by their choice of Noddle to provide free credit checking for impacted customers. Thing is, Noddle offers a free service anyway.

Needless to say, there has been a crisis of confidence within TalkTalk’s customers. At first the company effectively said, tough, you are bound by contract and you can’t leave without paying the penalty fee. In other words, we are not legally required to safeguard your data, but you are legally required to leave that data with us. It has modified this slightly to say that if you lose money because of this hack, and can prove that nothing else was partly the cause of the loss, then we will consider letting you leave.

So, just as an example, if you are spear-phished through social engineering by way of the personal data lost by TalkTalk, that’s your fault and not theirs. So you’ll have to pay up if you want to leave.

I could go on, but I think I’ve made the point. TalkTalk either had no incident response plan in place, or had a ridiculously ineffective plan. Harding herself said that hacks can happen to anyone – and indeed this is not the first time it has happened to TalkTalk. Then why did it not have a plan in place for what all security experts consider is inevitable?

History tells us that customers are remarkably forgiving, especially if you are upfront and on their side. TalkTalk has demonstrated neither of these qualities. There is a distinct possibility that the brand is now toxic. A well-thought and delivered incident response plan could have prevented this. If your company doesn’t have a plan, here’s a starter guide.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions, News, News_hacks | Tags: