Is your data safe?

Following the cyber-attack launched against telecommunications firm TalkTalk in October, agendaNi asks how safe is customer data in the digital age?

In late October telecommunications firm TalkTalk was hit by what police described as a “significant and sustained cyber-attack.” The phone and broadband provider, which has over four million UK customers, said banking details and personal information could have been accessed. The company also confirmed that some of the data was not encrypted. The data that was accessed may have, the company claimed, included customers’:

 

•   names and addresses;

•   dates of birth;

•   email addresses;

•   telephone numbers;

•   TalkTalk account information;

•   credit card and bank details.

It was later revealed after an investigation that 157,000 of its customers’ personal details had been accessed and more than 15,600 bank account numbers and sort codes were stolen. The company’s website was believed to have been hit by a distributed denial of service attack (DDoS) where a website is hit by waves of traffic so intense that it cannot cope. It is thought that this DDoS attack was a means of distracting TalkTalk’s defence team while the hackers went about accessing customers’ data stored in UK data centres.

This attack was the third cyber-attack to hit TalkTalk in the past 12 months and the company has been criticised by security experts for letting down its customers by reacting slowly and failing to encrypt the data. The previous security breaches saw customers hit by Indian-based scam calls following a data breach. Two months later, customers were again faced with further scams despite TalkTalk describing the information stolen in that breach as “limited” and “non-sensitive.” The latest attack happened on a Wednesday and the police were informed on the same day but it was Thursday afternoon before the company alerted the UK’s data protection watchdog.

The Information Commissioner’s Office can impose monetary penalties for data breaches, capped at £500,000 as well as enforcement notices. While there is no specific requirement for firms to encrypt data there could be a bigger penalty imposed if the watchdog believes that TalkTalk acted negligently by failing to keep people’s data secure. The fact TalkTalk admitted that some of its customers’ data was not encrypted was, for security experts, the most surprising aspect of the whole debacle.

Speaking about the lack of encryption the senior director of security at Echoworx, Greg Aligiannis claimed that this “blasé” approach to encrypting customer data was the most concerning revelation to emerge from the the incident. “Security of sensitive information must be considered a priority by everyone, especially when the life histories of potentially millions of customers are at risk.” 

The law on the levels and types of data security that must be used by companies to protect customer data can be vague. Companies are not obliged to have state of the art technology but are required to have security appropriate to the type of data they are holding and the harm that may result from the loss of that data.

Ultimately, whilst it is impossible to say if such a breach could have been prevented, this one off attack will, it is estimated, cost TalkTalk up to £35 million, considerably more than data encryption would have cost.

Related Posts