TalkTalk Attack: The Significance of Data Protection
As you will have undoubtedly heard in the news, TalkTalk have revealed that during a ‘Denial of Service Attack’ on the 21st of October, their customer database has been infiltrated.
Additionally “There is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details”.
There’s a lot of things we could talk about here, but I’m going to focus on two:
1) Encryption, encryption, encryption
It’s now known that some of the stolen data was not encrypted…
Those of you who take credit card payments will probably recognise the section of the Data Protection Act below:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Thanks to the very outdated nature of this particular act, this could mean that you can keep all customer info engraved on stone tablets, in a vault in the basement, or behind a door that says “Beware of the Leopard”.
However, in practice it means that all Personally Identifiable Information (PII) that you hold on customers should be kept on secure servers, in secure applications, and protected from unauthorised access (from hackers or employees).
It doesn’t explicitly mention encryption. And whilst they admit to and have apologised for certain failings in terms of IT Security, that has been part of TalkTalk’s defence: that the company was “under no legal obligation to encrypt customers' sensitive data”.
The thing is, most systems like this are servers kept in locked rooms with CCTV surveillance, running fully patched and password protected systems, and the data is encrypted by a respected system.
The data act was created in 1998 and doesn’t even begin to cover the impact of today’s mobile world. For instance, how much customer PII or other confidential information have you got on your laptop or mobile phone?
How much of your own confidential information are you carrying around with you, effectively in plain text, for anyone to see if they get hands on your device?
Most recent phones have the option to enable full device encryption, and many have it enabled by default. With PCs you have the option of using Microsoft’s Bitlocker, or a third party solution like Sophos SafeGuard.
Whether there is a legal requirement to encrypt your customer’s data or not, it really is something you can’t afford to ignore.
For more details about the importance of encryption take a look at this blog by our National Technical Director Paul Burns – “What’s the Big Deal About Encryption?”
2) Putting the customer first
Of course, what often gets overlooked in this type of situation (whilst everyone is pointing to the technology, or lack thereof) is the direct impact on customers. The fact is, TalkTalk will have a lot of work to do to build back trust and restore a hefty amount of reputational damage.
How have they handled things so far?
A friend of a friend, (a TalkTalk customer), has spoken about his disappointment on social media.
Among the communications received from TalkTalk, one in particular stuck out:
“As a gesture of goodwill, if any money is taken from your account, we will waive termination fees.”
So basically, TalkTalk will let you leave them mid contract without invoking the usual penalty...but only if you have some money stolen from your account first.
He said the fact they were only waiving their fee "if you suffered actual, provable loss, and not just because they patently can’t be trusted with the safety of your information, is just plain insulting.”
Sophos talk about the importance of getting things right for the customer in this article – “What you sound like after a data breach”. And what the customer actually hears when people say things like, “The vast majority of customers were not affected”. It's a humorous take on a very serious subject, and well worth a read.
There are lots of challenges today when it comes to protecting our business from cyber crime. And it’s not just the big corporates who are being targeted. This report by Symantec found that three out of every five cyber attacks last year targeted small and midsize businesses.
The key is to not ignore IT Security or bury your head in the sand, hoping you’ll be ok. At the very least you need to understand the threats to your data, and how it might impact your business.