Every year, there are a few data breaches that security experts cite to show how organizations should respond in the wake of suffering a hack attack. And then there are organizations such as U.K. telecom giant TalkTalk, which this year has become the embodiment of what not to do after being breached.
To date, five people - four of them teenagers - have been arrested in connection with the data breach involving TalkTalk (see TalkTalk Hack: UK Police Bust Teenage Suspect). The company says it now believes that 157,000 individuals' personal information was accessed by attackers, including 16,000 bank and sort codes and 28,000 tokenized credit card numbers (see 5 Lessons from the TalkTalk Hack).
"Like watching a car crash in slow motion."
On Nov. 24, the London Metropolitan Police Service's Cyber Crime Unit and Welsh police arrested the fifth suspect, an 18-year-old man who they have not named, on suspicion of blackmail, in in Llanelli, Wales. He was released on bail Nov. 25 and is scheduled to return to court in March 2016, authorities say, noting that the related investigation remains ongoing.
Here are five lessons based on what's known to date about this hack attack:
1. Expect to be Breached
TalkTalk's apparent confusion in the wake of its Oct. 21 breach - the third it suffered in a year - demonstrates the importance of developing a data breach incident response plan well in advance, says Paul Keane, European operations manager at identity management and breach-response firm IDT911, speaking at the recent Irish Cyber Crime Conference in Dublin. He makes ample reference to the apparent lack of forward planning at TalkTalk and subsequent breach-response missteps, which he says is "like watching a car crash in slow motion."
For starters, many security experts have remarked about the apparent unease in front of the camera displayed by CEO Diana Mary "Dido" Harding, who to her credit has been conducting a number of mea culpa interviews. But they said it begs the question of whether the company should invest in more media training for its executives.
The lack of media savvy extends to one interview in particular with Harding, in which eagle-eyed observers spotted that she was sitting in front of a PC running Windows Millennium Edition, a.k.a. Windows ME, which was released in 2000.
"We don't know why we got hacked," Keane deadpanned at the conference. Although in the spirit of full disclosure, he added that the interview appeared to have taken place in a BBC studio.
2. Talk the Tech Talk
In the wake of the breach, Harding was also criticized for reporting that her firm had suffered a "sequential attack," by which she appeared to mean a SQL - often pronounced "sequel" - injection attack.
Misspeaking a technical term isn't uncommon. But the deeper issue is that TalkTalk, which reported 2014 gross revenue of Â£1.7 billion ($2.65 billion), apparently failed to invest enough in its information security employees and technology to eradicate what security experts say is a very basic and preventable flaw.
In security circles at least, awareness of the severity of SQL injection attacks is also widespread. The Open Web Application Security Project, for example, currently lists it as the most dangerous Web application flaw, and also details how to find and correct such vulnerabilities.
3. Understand Security
After the breach, TalkTalk's spokespeople were initially unable to definitively answer whether the stolen customer data had been encrypted (see Why 'Cryptophobia' Is Unjustified). Likewise in early interviews, Harding also didn't appear to know if her firm was encrypting customers' stored data, although the company eventually said that stored payment card numbers were in fact being tokenized by removing some of the middle numbers.
4. Use Encryption
In an apparent attempt to deflect criticism over its failure to encrypt all customer data, Harding later told the U.K.'s Sunday Times that under the U.K.'s 1998 Data Protection Act, TalkTalk was "not legally required" to encrypt customer data.
Harding also claimed in an interview with the Guardian that relatively speaking, TalkTalk's security was actually quite good. "Nobody is perfect. God knows, we've just demonstrated that our website security wasn't perfect - I'm not going to pretend it is - but we take it incredibly seriously," she said, before adding: "We are head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones."
5. Treat All Customer Data as Valuable
Consumer-protection laws are arguably lagging when it comes to customer data protection, since criminals today can profit from just about any type of customer data, even if it's not payment card account number or Social Security numbers. "The information accessed or stolen in the TalkTalk breach contains enough detail for it to be valuable for resale in online underground marketplaces and also for it to be useful in perpetrating secondary attacks, either against the individuals impacted or against financial institutions for the purposes of fraud," according to Rik Ferguson, vice president of security research for security vendor Trend Micro.
To date, however, no U.K. lawmakers have introduced legislation that would mandate the use of encryption for storing all customer data (see TalkTalk Breach Fuels Call for Tougher UK Laws). But according to information security expert Brian Honan, encryption is a must for companies that want to actually be secure, rather than just say that they comply with data protection regulations.
The takeaway is that savvy executives, rather than waiting to apologize for being breached on account of their poor security processes, procedures and awareness, will do something about that in advance, so that they can instead remain focused on attracting and retaining customers and better turning a profit.