Member Article

Lessons to be learnt from TalkTalk data breach

This week TalkTalk, the communications provider have finally admitted to a damaging data breach which has led to thousands of sensitive customer records being exposed to criminals. The breach was suspected three months ago when it was reported that an increase in complaints from real customers who had experienced bogus TalkTalk calls. In the calls thieves posed as TalkTalk staff and attempted (successfully in some cases) to extract bank account details during the course of a conversation aimed at solving a “serious security lapse”.

The approach TalkTalk took when suspicions were raised over 4 months ago was to dismiss the potential that the breach was happening and then to pass off the responsibility to a supplier, saying that the breach had happened on their watch, clearly washing their hands of any responsibility in the matter.

Time has now passed as complaints have escalated and finally TalkTalk have admitted that their customers have indeed suffered a breach of their sensitive customer details. This sorry tale is a textbook example of how an organisation should not respond to a suspected breach.

A number of points spring to mind here:-

1. TalkTalk own the customer relationship and if they decide to have a supplier fulfill an element of the customer journey that should not change this fact. We outsource responsibility not accountability.

2. Regardless of whether TalkTalk had effective security policies in place, the fact that a customer or number of customers had raised a suspicion should have resulted in an immediate investigation, using digital forensic techniques at the supplier site.

3. The customer should have been informed of this investigation in advance, what steps, timelines, communication points and when to expect a resolution if possible. TalkTalk should also have attempted to re-secure the customer security credentials and perhaps offered a credit vetting subscription service to monitor potential impact from this breach.

4. TalkTalk have now informed the ICO, the proposed EU law change (mentioned in a previous post) will likely force them to do this within 24hours. The ICO will take account of how TalkTalk dealt with the initial stages of this breach in deciding what action to take.

5. A review of the evidence collected from the forensics work should inform a complete review of policy to learn the security lessons for the future. In particular, ongoing continuous network monitoring including those of the suppliers who handle data on their behalf.

The steps outlined here are not exhaustive but aim to highlight the key points that would have seen TalkTalk come out of this breach as stars whereas, it is likely some customers will vote themselves out of this particular show!

This was posted in Bdaily's Members' News section by Dave Lloyd .