Many people are quite upset that telecoms firm TalkTalk recently fell victim to a hacker who relieved it of hundreds of thousands of customers’ personal details. However I am, in a way, quite pleased. I’ve nothing against TalkTalk, for whom the whole episode has been highly unfortunate, and I have sympathy for those customers affected. But how events panned our afterwards actually provide crumbs of comfort.
The incredible media coverage the attack received is welcome. There can be few people in Britain who are unaware that TalkTalk had a problem. This is extraordinary, because TalkTalk is just the latest to fall victim to something that is going on all the time. In fact, just days later Vodafone admitted it had suffered a breach of its own.
The attack on TalkTalk was initially thought to have affected up to 1.2m customers, but this was later revised down to 150,000 – even if quarterly results show it cost the firm £35m. Compare this to the attack on the Sony Playstation Network in 2011 that affected 70m user accounts, or the attack on Sony Pictures in 2014, which saw the contents of the entire corporate network dredged out in public for the world to see, or indeed any of the many other examples of organisations’ failure to secure themselves.
As governments, businesses and organisations of all sizes have computerised their information, such occurrences have become all too common. So it’s great that TalkTalk has been much talked about – we should have been talking about this problem a lot sooner.
I was also pleased that TalkTalk was so open about the attack. CEO Dido Harding appeared on television and radio where she admitted the company’s errors and was astonishingly frank. I desperately want to commend this honesty, but the sad thing is that I’m not convinced it worked in her company’s favour. While she certainly gave the impression that TalkTalk cared and was apologetic, she appeared to have no better an idea of exactly what had happened or how, which did little to assure customers the company knew what it was doing. Where were TalkTalk’s cyber-security experts? We were left wondering if they had any. Contrast this with the lower key, albeit less significant, Vodafone incident a few days later: less fuss, less reporting.
Perhaps the most useful aspect is how the event really resonated with the general public, and TalkTalk were forced to temporarily suspend some of their services. As a result ordinary customers, whether or not they were affected, became aware of what had happened.
No use waiting until the horse has bolted
TalkTalk is not the first and certainly won’t be the last organisation to suffer in this way. Nevertheless it seems to me that some just don’t get the message that they should take the security of their company information and that of their customers seriously, not until it’s too late.
Take for example the British government. In 2007, the revenues and customs department sent two CDs containing the unencrypted records of 25m child benefit claimants through the post, and they were lost. It’s never been clear whether this data fell into the wrong hands, but it was a loss of such magnitude that many credit it in part for motivating the subsequent UK National Cyber Security Strategy.
But within just a few years it was one of many other losses of data from public sector organisations, either from hacks or the sort of failure of basic information security that led to putting unencrypted data in the post, or dropped on USB memory sticks. Yet figures from the Information Commissioner’s Office this year shows things are little better. Let’s hope that TalkTalk is sufficiently embarrassed by its 15 minutes of infamy that they put their house in order.
Experts were repeatedly asked by journalists: “What can we all do to make sure that our data is not exposed?” There is much general advice out there about basic good practices such as strong passwords, backing up critical data, and being wary of scams arriving in unusual emails. It’s absolutely the case that we all need to grow a bit more savvy about cyber-security ourselves, but these answers miss the point – it’s companies that have to take security seriously.
The correct answer to the question about what customers can do is “almost nothing”. Once we submit important information to a third party, whether that’s personal details or bank account and credit card numbers, we are relatively powerless about what happens to that information. We have to trust them to guard our data, or else take our business elsewhere.
It is often said that the mainstream media simply reflects what the public wants to hear. If this is true then the extended discussion that has followed TalkTalk’s embarrassment is a positive thing. It has sent a resounding message to all organisations in whose care we have put our personal data that they will, inevitably, one day suffer a cyber-attack, and that when the dust settles we will hold them to account for their failures to defend what is ours. In the age of data, privacy and security matters.