“Don't delegate security – it's a board issue and a business issue,” was one of key messages that Dido Harding, chief executive of TalkTalk said she would share with other business leaders during her appearance before a House of Commons, Select Committee on Cyber Security: Protection of Personal Data Online, this morning.
She noted how it was necessary to operate in the cyber-world for modern business, but that this was not without risk.
"It's a risk you must take,” she said. “The business risk has increased [due to hackers, but security decisions] should be taken at a business level and in some places it's wrongly taken at a technical level.” Harding also revealed that she had personally taken the lead role chairing the incident response team.
Her second piece of advice was, “Being open and honest with customers is the right answer. It was absolutely the right thing to warn all four million customers and over time we are seeing the benefits.”
Harding was a lot more sure-footed and convincing under parliamentary questioning than she had appeared in front of the media when the breach first became public, nonetheless she did face tough questioning.
When TalkTalk was characterised as a company particularly vulnerable to cyber-attack, having been subject to data breaches three times in the past couple of years, Harding responded that she didn't think TalkTalk was unique or unusual, arguing that only one of the breaches was a cyber-security issue.
Parliamentarians challenged Harding to apologise for its shoddy treatment of customers, failure to inform them quickly enough that their data had been compromised and failing to compensate customers for losses where insurance companies were saying TalkTalk had been negligent, and refusing to let customers break their contract.
Harding said that she would not “apologise for how we've acted,” saying: “We met all legal and ICO compliance, but retrospectively would have done it [informed customers] quicker. We are the only telecoms company to have written proactively to our customers, but not the only one to have been hit by these scammers. Go to www.pastebin.com – you will find consumer personal data on virtually any brand.” Also, it was pointed out that customers can leave their contract at any time “with consequences to that”.
Harding refuted the idea of compensation claims being valid, saying she was “not aware of anyone who has directly lost money as a direct consequence of the attack. Any who have suffered direct financial loss should get in direct contact. We wish to deal with on a case by case basis.”
She added, “The Telecoms Ombudsman is there to adjudicate, and customers not getting fair redress from their insurance company, bank, or telco, should go there.”
Harding suggested that compromised data could have come from other sources. “We don't know, what, of our personal data, could have been stolen from somewhere else. Every company is being targeted by cyber-criminals every day... [but] only telecoms companies are obliged to report a data breach to the ICO.”
While there is an ICO obligation to report a breach if it will adversely affect customers, the need to inform customers is much vaguer, with the regulations simply saying: “Companies ‘may' find it helpful to inform customers,” with it being very much up to companies to make their own judgement as to how and when.
Harding agreed that customer protection is weak, saying it would be better for both companies and consumers to make that requirement clearer. But she added that TalkTalk had informed all its four million customers, and offered free credit monitoring, even though less than four percent, some 157,000 customers, had actually been affected.
On the nature of the attack, being described as a simple DDoS attack and SQL injection, Harding responded that she couldn't go into detail about the root cause of the attack because it was the subject of a live investigation. But when pressed, she commented: “We defend against cyber-attacks every day, so it wasn't a standard attack – it didn't get into our call systems, only the web site. We identified the vulnerability and fixed it.”
As to whether better encryption would have helped, Harding noted there is a “temptation to assume encryption is a silver bullet. For some data, encryption is not a high enough standard.” TalkTalk tokenised its credit card data and so it was not stolen, none of the usernames and passwords were stolen and the data which was taken would not allow theft on its own, though it could be used to set up a credit card.
Harding declined to disclose TalkTalk's cyber-security expenditure but said she believed it was appropriate to the size of the company which had £1.8 billion revenue, that it had increased security spend in the past year and will ‘definitely' do so again next year. It had already been reported to shareholders that the cost of the attack and remediation had been an estimated £33 million.
Asked whether TalkTalk had implemented the Cyber Essentials programme, Harding said the company did focus on the ten steps and had a robust cyber-security plan which she believed would be shown to be compliant, with accreditation underway now.
As to whether Cyber Essentials was enough, Harding commented: “In the cyber field, what counts as appropriate action is still being worked out... We can only take all appropriate action. As a society, we are less clear what the minimum requirements are [compared to the physical world]. The rate of cyber-crime is accelerating. In the digital world, all criminals have access to the equivalent of a Kalashnikov and an atom bomb.”
It was also agreed that sharing of information, such as briefing other telcos, would be beneficial, and while there is TISAC (Telecoms Industry Security Advisory Council), Harding also welcomed the call by GCHQ and the Chancellor for establishment of one stop cyber-security hub given that the issues are not just telecoms issues and there is currently no mechanism for sharing between different industries.
And as far as competitive advantage was concerned, Harding suggested that in a security context sharing data is entirely possible as, “No one wants to benefit from a crime brought on a competitor.”