Author: David Buist
June 6, 2018
Harding blamed TalkTalk’s lack of action in decommissioning legacy systems for the devastating data breach back in October 2017.
“There was the IT equivalent of an old shed in a field that was covered in brambles,” she said. “All we saw was the brambles and not the open window.”
Harding told delegates that robust systems and honestly were central to protection against cyber attacks, and to minimise any damage to your reputation.
Harding also stood by the decision to alert its customers to the data breach last year, the same day it was discovered. This apparently went against advice from police who were trying to track the criminals responsible – who were trying to extort the company in exchange for the return of stolen data.
“Being armed with somebody’s bank account details doesn’t make it particularly easy to steal from them. Phoning somebody up pretending to be from TalkTalk, with their account details, makes it easy extremely easy to scam someone. So, the judgement we made as a business, 24 hours after we’d been attacked, was that the best way we could protect our customers was by warning them.”
“A lot of our customers were elderly and perhaps less tech-savvy, so we went through broadcast media as well. We consciously made the decision to go out there with both old-fashioned and modern social media to reach our customers.”
“Lots of people didn’t want us to do that. We found out Wednesday lunchtime, and on Thursday lunchtime we’d decided to go public with it. The Metropolitan Police strongly advised us that they would like us to give a few more days to catch the bad guys. We spent the afternoon discussing with, amongst others, the head of the Met’s hostage negotiation team.”
“Eventually I said ‘if you can promise me that there is at least a chance, a meaningful chance, that we can have this data back, without ever having to tell anybody, then we can have this conversation.”
Obviously this didn’t happen and so the decision was made to fess up.
Company boards need to take cyber-security seriously. Harding concluded that cyber-security should be as important as maintenance on an oil rig. Chief execs should get down in the trenches and spend time with the “young stars” of their security teams to learn about risk.