TalkTalk profits hit by customer losses following cyber-attack

TalkTalk's CEO puts a brave face on the fallout from the cyber-attack in October but the profit figures and customer losses paint a different picture.

Not clear what steps TalkTalk has taken to address cyber-security
Not clear what steps TalkTalk has taken to address cyber-security

TalkTalk has lost 160,000 retail customers since it became the victim of a headline-grabbing cyber-attack in October, contributing to a 56 percent fall in pre-tax profit for the financial year.

Pre-tax profits for the 2016 financial year were £14 million compared to £32 million in FY15, the company said today when it published its preliminary results for the year to 31 March 2016.

According to company figures, its retail base was 3.3 million customers in September 2015, immediately prior to the October cyber-attack. On top of this it had 771,000 wholesale customers giving it a total of nearly 4.1 million customers.

In December 2015, the wholesale customer base had risen to 809,000, partially mitigating losses of 136,000 customers from the retail business. Three months later, the retail figure had fallen by a further 21,000, a loss offset by the growth in wholesale customers.

Figures from the company indicate that it reduced spending on sales and marketing by £49 million in FY16 compared to FY15 while increasing operating costs by £47 million.

Despite the losses, dividends were up 15 percent on last year.

Dido Harding, chief executive of TalkTalk, claimed the company “bounced back strongly in the final quarter following the cyber-attack in October”.

She said the company stabilised the broadband base as a result of its “honest approach” which was appreciated by customers. However, the company has been criticised by customers who claim that, despite the breach of security, TalkTalk would not allow them to terminate contracts early without financial penalties.  

Harding said TalkTalk would continue to position itself as a value-for-money service provider, but there was no mention in the financial report of what steps the company has taken or will take to improve its cyber-security.

Following the attack, TalkTalk did not go into details on how hackers accessed their systems. “We believed our systems were as secure as they could be,” said the firm. "As soon as we realised the website was under attack, we pulled the website down in an effort to protect data."

The company was roundly criticised for its security in October. For instance, it emerged that the company had been using a certificate for accounts.talktalk.co.uk that was signed with a SHA-1 signature rather than a more secure SHA-2 certificate.

 

A spokeswoman told SCMagazineUK.com that the company would not discuss details of its cyber-security programme but said the company had increased its direct spending on cyber-security by 30 percent in the three years leading up to the October hack.

However, it would be difficult to quantify the company's true investment in cyber-security, she said, because it is embedded in everything that the company does including procedures, equipment, software and staff training.

Following the breach, TalkTalk hired a cyber-security consultancy to analyse its operations. The spokeswoman said all of the recommendations have been addressed or will be acted upon soon.

Meanwhile, six British teenagers have been arrested and bailed following police investigations of the breach.

And TalkTalk's fall in fortunes has not surprised commentators in the cyber-security industry.

Andrew Avanessian, VP at Avecto: “All too often we see large scale, well-known organisations fail to address often basic security measures and unfortunately it often takes a breach of this scale to force their hand. Large organisations are often so focussed on compliance with data protection legislation that they mistake this for robust security.”

Cameron Ross, director of payments strategy at UK payment security technology firm Eckoh, adds: ”If hackers blow a hole in the security of your customer data, your customers will blow a hole in your profits. Data security is a boardroom issue. If it's not on the agenda, your risk management strategy is a colander."

Raj Samani, CTO EMEA at Intel Security, said, “The financial future of a corporation – or that of its customers – can hinge upon the security of the information stored, so it is crucial that the CFO, CEO and other executives take an active role in understanding the level of cyber-risk they're exposed to in order to establish a meaningful and effective cyber-security strategy.”

Richard Parris, CEO at Intercede, commented, “The industry must work together to ensure that security is embedded into the very fabric of the technology ecosystem, from the silicon chips that power our smartphones and connected cars, to the services and apps we use in our day-to-day lives.”

Meanwhile, Cable.co.uk telecoms expert Dan Howdle said: “TalkTalk suffered three major security breaches in 2015, something savvy customers should not easily forgive. That TalkTalk lost only three percent of its existing customer base, however, points to problems both with the switching process itself and with its public perception.

"Our own research shows that only around half of UK broadband customers have ever switched provider. The key factors a tend to be the financial cost of getting out of your contract  (TalkTalk allowed no one a free exit), and risk averseness – a feeling of 'better the devil you know'.

"Clearly the situation needs improvement. If a provider fails in its remit to protect its customers and their data there should be a free get-out clause. There isn't, and that has allowed TalkTalk to limit the damage the attack caused it.”

[Updated on 13 May to include comments from a TalkTalk spokeswoman].