There have been many incidents over the years of hacked organisations and personal details “spilled” across the internet. The very recent TalkTalk incident though I suspect will be TalkedTalked about (pardon the pun) for some time to come.
Not withstanding this being their third such breach in a year according to the press, this one is significant for two reasons to me 1) TalkTalk are seeming to be saying they do not know if they were storing critical customer data encrypted and 2) As possible proof of this, some customers are reporting attacks on their own bank accounts and having “money drained”.
I suspect there will be a number of IT Security specialists currently or previously employed by TalkTalk thinking a clear “I told you so”. Having been responsible for key IT Infrastructure & Security systems across a number of organisations, I know too well the “Risk versus Cost” game. I would surmise that TalkTalk have played this game, and have thoroughly and publicly lost. Lost may be too kind, it was more like they “had their arse handed to them”!
It is very likely that the black hat hacker(s) had to work hard to penetrate the external defences (well I hope they did), but they must have thought good old Kris Kringle had visited early when they found the at rest unencrypted data. It is unacceptable in this modern day eCommerce led world, to believe that encrypting critical stored data is not mandatory.
As an analogy of changing times, not so long ago we didn’t lock our front doors, but who would now leave their house, or indeed go to bed at night, with the front door unlocked. We have to be realistic that this is the cyber led world now, and criminal profit is far easier gained in bits and bytes than with breaking and entering.
TalkTalk may have been faced previously with a project funding decision in the millions, when considering how to encrypt their at rest data, and possibly took the risk rather than cost approach. What is their view now as the financial impact on their business will undoubtedly dwarf any implementation costs they were previously presented with. Also they will now have to deliver an accelerated solution for encryption, if they want to stem the business loss flow, and this will be an order of magnitude more costly now.
Dido Harding, current Chief Exec, is now telling the media that the situation is not as bad as first thought, as they don’t store full credit card numbers and customers TalkTalk My Account passwords have not been stolen.
IT Security specialists get a hard time in the industry, constantly lambasted for being blockers to progress in projects and for adding un-necessary costs. If anything good should come of this incident, it should be hopefully that business executives now heed the warnings from the multitude of reports and audits they get, and make the necessary investment.
This investment is paramount as they need to protect, what is for most organisations their most precious assets, their customers.