I found it so infuriating that some of the people that run these large companies still know little about the business they are running. You only have to look at how the UK is run by too many people with PPEs – Politics, Philosophy and Economics – from Oxford University to perhaps see how lazy and or incompetent some of these people are.
For the second time we have seen Talk Talk in the headline, yet again losing more customers personal details. Yet again its another one of these experts that knows it all but practice none of it as TalkTalk’s CEO, Baroness Dido Harding, can boast both a PPE and an MBA, and is the daughter of a Lord to boot. And, for her performance as head of one of the UK’s largest internet service providers since 2010, she earned the not inconsiderable sum of £6,842,000 in 2014.
Harding’s defence of the company since it admitted the latest cyber-attack has been toe-curling – one would’ve expected better of someone who climbed the corporate greasy pole via marketing. First, when the press heard that the company’s website and email had gone down on Wednesday afternoon, the company denied that anything was wrong.
When it did admit that something was very wrong, it did so late on Thursday, releasing the news at 10pm, just as Friday’s newspapers were going to press. The cynic in me and many more thinks this was an attempt at delivering the news in a timely fashion that suited them.
“TalkTalk began to experience latency issues on its website on Wednesday. We took the website down as soon as it was clear there was unusual activity. We immediately began investigating what was happening, including working with external cyber security experts. Working through the night it became clear that TalkTalk had been the victim of a cyber attack and that customer data had potentially been accessed,” claimed a TalkTalk spokesperson in response to a series of questions posed by the media.
When CEO Harding appeared on television, rather than reassuring customers, it only seems to have raised their hackles, especially when the company blamed “cyber jihadis” who, apparently, demanded the peculiar sum of £80,000 in bitcoin as a ransom – what, exactly, they could ransom is unclear, seeing how the damage had already been done.
The company went on to reveal that it had been subject to a “sequential attack”, when it presumably meant that it had been subject to a SQL injection attack, which is an easy mistake for an amateur to make.
“This is an attack vector that has been known for more than a decade and it is still found in web applications around the globe. While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place,” commented Wim Remes, EMEA manager of strategic services at security services company Rapid7.
Such was the nature of the TalkTalk cyber attack that even the UK’s national computer specialist at the British Computer Society (BCS), the Chartered Institute for IT, was moved to comment – and it didn’t hold back from dishing out the criticism. “It is difficult to understand why, in the context of previous cyber attacks against the company, TalkTalk has found it necessary to admit that some of their sensitive customer data was not adequately encrypted. TalkTalk was clearly a high-profile target, as are all companies holding data on large numbers of consumers, so the board and IT leadership of the company must have been aware that they were at risk.”
The BCS continued: “In modern IT systems it is easy to encrypt the data on the disks, in the database, in transit, and/or in the applications which use the data, some or all of which may be appropriate depending on the systems architecture and purpose for holding the data, meaning that nobody may read the data without the encryption key.”Furthermore it is equally easy to ‘one-way hash’ data so that while it may be used for comparison purposes such as checking the validity of a password or security response it may not actually be read by anyone. Quite simply, while the technological sophistication required may be beyond the resources of some small companies, there is no good reason why any large company with extensive IT resources like TalkTalk should not encrypt and protect customers data.”
Perhaps worst of all, though, is the fact that TalkTalk and its CEO knew that the company was a target. This is the third time in a year that the company has been successfully attacked and after each attack, the refrain from the company remains the same: “We take our customers’ security very seriously”, before claiming that it has “put in place additional security measures to prevent further attacks“.
Its sad Baroness Harding doesn’t exactly inspire confidence as the leader of a predominantly technology-focused business. Even the Daily Mail observed, “The hapless Miss Harding, bumbling from studio to studio, was unable to explain how her company had been attacked, how long the attack had gone on for, what had been stolen and whether the computers and networks were now secure.”
Today, any company that cannot keep its customers’ data genuinely secure is not a company people want, or should be compelled, to do business with. And many customers, understandably, want out – some have demanded the right to terminate their contracts with TalkTalk so that they can get their broadband from a company with a better track record on security, ie: anyone else.
The bottom line is, though, that all modern businesses of any size are substantially technology businesses, and any CEO that lacks, at the least, a broad understanding of the technology issues involved in running their business is a potential liability.
So as a director or proprietor of your own companies do you take your data security properly ? Have you had your website penetration tested ? Are you PCI compliant for your online payments ?
We can provide full and safe penetration testing against the threats of today, that right the latest issue and ensure that you are security patched properly. Contact James@accede-it.co.uk for more details.
UK high profile cyber attacks are damaging to our country and we all need to take a stance and make improvements.