In the aftermath of the TalkTalk hack there was speculation over the possible involvement of terrorists, vast financial loss and an impending cybercrime tsunami from stolen personal data. There have been apocalyptic warnings from businesses, and the announcement of government enquiries alongside reports of customers already losing money or receiving fraudulent phone calls. Fear of cybercrime has gone through the roof.
Then a 15-year-old teenager from Northern Ireland was arrested and subsequently bailed in connection with the hack.
Whoever was behind it, TalkTalk has confirmed that although some personal information may have been stolen, full card numbers had not been compromised and much of the speculation has also turned out to be unfounded. Embarrassing questions have been asked of TalkTalk’s security people and their response, not least because TalkTalk has suffered cyber attacks twice this year alone.
It’s now possible to organise and operate businesses at a distance, in volume, and at great speed. However, this strength is also technology’s greatest weakness because it enables criminals to commit crime at a distance, in volume and at great speed. The internet has effectively democratised economic crime, as frauds previously committed only by those in powerful positions and with the skill to do so can now be carried out by practically everyone. As I have commented previously, why commit a high-risk robbery when you can commit millions of small low-risk thefts?
What actually happened?
TalkTalk was initially hit by a distributed denial of service (DDOS) attack, in which many – often hundreds of thousands – of compromised and remotely-controlled machines repeatedly connect to a website, causing it to buckle under the stress. This disruption was used as a smokescreen for the attack, an SQL-injection attack that uses deliberately malformed requests entered into a database program (such as those that run the back-ends of websites). This tends to crash the program, offering up privileges to the attacker that allows them to steal the contents of the database.
For the second act, the hacker allegedly demanded a ransom for the stolen data. The motivation in this case appeared to be money, but motivations do vary – for example, the Ashley Madison hack seemed to stem from a moral sense of revulsion at the firm’s extra-marital affair business model. Many other cyber attacks have been for intellectual stimulation or to demonstrate technical prowess.
What this illustrates is the two sides of business and customer vulnerabilities: the theft of the data and the means by which someone makes money from it. These are different activities and usually committed by different groups of criminals.
In truth, the criminal market for stolen data is only just becoming understood. But what is known is that stolen datasets are valuable as they can be sold for more than it costs to obtain them. In the TalkTalk attack, the suspected thief allegedly tried to sell the dataset back to the company for a ransom, but the main concern is that when or if customers’ personal data is subsequently sold or traded between criminals it can be used to steal money from them.
A major victim in this case is TalkTalk’s reputation. The temporary closure of TalkTalk’s website caused massive inconvenience to its users and financial loss to the company, and the uncertainty over what was taken and the prospect of customers suing the company have caused the company massive financial losses. Will the TalkTalk attack go down in history as just a catalogue of disasters and a salutary warning not to cut corners in security, or does it simply highlight business’ increasing vulnerability and the need for firms to step-up their security game?
The other question is what to do with hackers, whatever age they may be. Judicial attitudes towards hackers in the US have been harsh and lacked the proportionality expected of sentencing. But for some, perhaps we should be identifying more constructive ways of using the talents of these people for the public good. A shortfall of cyber skills means that perhaps convicted hackers could be diverted to, for example, one of the government initiatives devised to help develop cyber-security skills.
If we fail to recognise their potential, bring them on board and make best use of their skills, then others in the criminal world will find them and do so instead.