On the 21st October 2015, TalkTalk became aware of a major security breach. Over the following days and weeks, the severity and magnitude of that breach filled the headlines of the British and International newspapers. More than 150,000 users saw their personal information leaked. Of those, more than 15,000 users saw their bank account details compromised.
“failed to apply software patches to a database, fixing a known exposure that had been identified more than 3.5 years prior to the breach.”
The next day, TalkTalk informed the Information Commissioners Office of the data breach. The TalkTalk data breach has cost about £60m and contributed to the loss of over 100,000 customers. The police are still questioning 6 individuals (all under 21 years of age) in relation to the crime.
The ICO Investigation to the TalkTalk data breach
Now TalkTalk is back in the headlines as the ICO issues a record-breaking fine of £400,000, due to security failings that allowed a cyber attacker to access customer data “with ease”. The ICO investigation found that the attack could have been prevented if TalkTalk had taken basic steps to protect customers’ information. Worryingly, TalkTalk failed to apply software patches, fixing a known exposure that had been identified more than 3.5 years prior to the breach. The report highlights that there were two additional attacks 12 weeks before the October breach which had not been detected.
Elizabeth Denham, the ICO Commissioner said ‘Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers’.
The new BSI Cyber Resilient Guidelines
On a positive note, the British Standards Institute has released for public comment new guidance for developing a cyber resilient organisation. If followed, it will help to ensure that Boards have cyber security is on their agenda. Risk Evolves has been a member of the committee who have been working to build this new guidance. The guidance is relevant and appropriate to all organisations regardless of sector or size and we would encourage you to review and comment.
Lessons from the TalkTalk data breach
At Risk Evolves we have long believed that cyber security is much more than an IT problem, requiring the skills and leadership of the entire organisation and the supply chain, to prevent incidents. It must be a high agenda item with the directors of organisations, and have as much focus as Sales, Revenue and Profit in meetings. As we mentioned in our last blog, new legislation from the EU called General Data Protection Regulations (EU GDPR) will come into force in May 2018. I am sure that TalkTalk will take little comfort from the knowledge that the fines ‘could have been worse’.
As we all know, prevention is far better than cure. Taking simple steps to reduce the risks of a breach will stop your organisation hitting the headlines, losing it’s customer base, incurring massive costs to resolve or being fined by the ICO. It doesn’t cost £1000’s to implement.
Want to know how protected your business is from a cyber security attack ? Then take our free, no obligation cyber health survey now.