So, is this what the future looks like? TalkTalk has responded promptly to a significant data breach, which may have led to 4 million sensitive customer records being stolen. The speed at which it told customers, the Information Commissioner and the media looks in line with the likely 24- or 72-hour deadline for breach notifications which is likely to be introduced under the new European Data Protection Regulation. Impressed? Don’t be. Here are 5 reasons why:
1.You don’t lose data through DDoS
Dedicated denial of service (DDoS) attacks are a major nuisance for online business, but they are mostly done for political or pranking purposes. In this case, they could have been a smokescreen for a more targeted hack. If the criminals keep the IT department busy trying to maintain service and fight off rogue noSQL injections, it improves their chances of sneaking in to steal customer data (or exfiltrating it if the hack has already taken place and just needs an opportunity to download files). If TalkTalk is blaming the loss on DDoS, it could be putting up its own smokescreen or, worse, is unaware of how the data breach really occurred.
2.You don’t leave sensitive data unencrypted
Encryption can be applied in many forms, but the most important thing is that it gets applied. TalkTalk appears not to have used what should be a standard technique to mask personal information, credit card and bank details so thieves just end up with an unreadable file. If this has not been done, then the company does not deserve the trust of its customers.
3.You don’t let it keep happening
This is the third data breach which TalkTalk has suffered this year. Although the previous two occurred in other parts of the business - one via a mobile sales site, the other via a third party - the repetition of successful attacks within 12 months suggests there is a problem in the information security culture at the company. Criminals may have identified a vulnerability which allows them to access customer data at will. The first breach should have triggered a review and changes in culture - the third should lead to heads rolling.
4.You don’t just rely on one type of data security
There are many different ways to keep data secure and also to monitor whether it has remained safe. In this second space, a new generation of solutions is emerging which applies behavioural analytics to attempts to access critical data. Log-ins or downloads which are outside of normal parameters or happen repeatedly from an unknown location trigger alerts and stop access pending investigation. If a company with as many customers and as much sensitive information as TalkTalk has not brought its systems up-to-date, it is a sitting duck for criminals to shoot at.
5.You don’t just have the ICO to worry about
Much attention has been focused on the Regulation’s proposals to impose fines for data breaches of up to 5 per cent of global turnover. That threat will make investment into new data security processes and technologies seem more acceptable. But data controllers don’t have to wait for the ICO to be handed such new powers. If they already store payment card data, then they need to comply with the PCI data security standard which can impose fines starting from €5 per compromised record. For TalkTalk, the starting point of the fines it could be hit with starts at €20 million - and is unlikely to end there.