“Customers have lost faith in TalkTalk as a trustworthy brand," following the October breach of the broadand, TV and telecoms provider, according to Imran Choudhary, consumer insight director at Kantar Worldpanel quoting his own company's research on the impact of the personal data loss.
It reports that TalkTalk has lost some 250,000 customers since the breach and has seen its share of the home services market fall by 4.4 percent in terms of new customers. Choudhary adds, "there can be no doubt that it lost potential customers following the major data hack. If it's to recover from recent events TalkTalk will need to offer more than just good value.” Clearly data loss has become a brand-reliability issue.
And the woe continues, following the external breach, it now has an insider problem at one of its suppliers as police in India arrest three employees of a call centre used by TalkTalk after an investigation into a series of phone scams.
The three were working in a call centre run by Indian outsourcing firm Wipro and were detained following a security review by TalkTalk, which then alerted Indian police.
In a statement regarding the arrests, TalkTalk said that it had been been working with Wipro, and the local Police in Kolkata.
“Acting on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our contract with Wipro. We are also reviewing our relationship with Wipro,” the statement read.
"We are determined to identify and deal effectively with these issues and we will continue to devote significant resource to keeping our customers' data safe. Data theft and scams are a growing issue affecting all businesses and they are notoriously difficult to investigate and prosecute. We are pleased that our investigations have yielded results, and will continue to do everything we can to tackle these crimes,” it added.
Wipro also issued a statement reiterating that its was “committed to maintaining the integrity and confidentiality of all customer data and has a zero tolerance policy on security breaches. Working with our customer, Wipro reported potential illegal activity to the relevant law enforcement authority in India, as soon as it came to the company's attention.”
Professor Mark Rodbert, CEO of idax, told SCMagazineUK.com that staff committing criminal acts with customers data is nothing new. “Prevention is difficult, but better oversight as to who has access to what information can go along way to protecting it,” he said.
Rodbert added that when TalkTalk was breached in October, the company was adamant that it was caused by external cyber-criminals.
“Following last year's hacks this new case highlights a failure on TalkTalk's part to properly protect the internal. Enforcing the principle of least privilege is one of the most effective steps a company can take, ensuring no employee has access to more data than they need to complete their day-to-day role,” he said.
Péter Gyöngyösi, product manager at BalaBit told SCMagazineUK.com that inside jobs are notoriously hard to protect against.
“Strict need-to-know access control and keeping a detailed audit log of who accessed what data are effective tools and are considered "basic hygiene" in security. However, if the possible gains are high enough, these measures might not stop the attacker,” he said.
He added that there are many situations when need-to-know access control is not enough. “This case is a good example: most probably the sub-contractor that's suspected to be behind the breach needed to have access to most customer information to be able to do their job.”
He said that companies must not fool themselves into believing that the responsibility of keeping customer data secure can be truly and completely outsourced.
“Technological defences might be implemented by the sub-contractor, the legal liability might be transferred as well, but ultimately, it'll be the customer-facing company that'll have to take the blame for a data breach. Case in point: we are talking about a TalkTalk data breach and not a Wipro one,” said Gyöngyösi.
Orlando Scott-Cowley, cyber security strategist at Mimecast told SCMagazineUK.com that security policy need to ensure there's “no easy way out for the data”.
“No mobile phones or USB sticks allowed in the call centre and DLP technology to detect ‘lazy exfiltration' by email or Dropbox. Also if a call handler only needs to extract one record at a time from the database, what happens when they pull 10,000 at once? Do alarm bells ring?” he asked.