5 Lessons from the TalkTalk HackEncrypt All Customer Data, for Starters
See Also: Passwords Alone Aren't Enough
For starters, every organization should determine whether it has proper measures in place to avoid being breached by hackers like the four arrested so far by British police in connection with the TalkTalk breach. Three of the suspected attackers are age 16 or younger.
While TalkTalk initially warned that 4 million customers may have been affected, in a Nov. 6 "cyber attack update" it now reports that it believes that 157,000 individuals' personal information was accessed by attackers, including 16,000 bank and sort codes and 28,000 tokenized credit card numbers.
Here are five top lessons that CEOs, boards of directors and information security professionals alike can learn from this breach:
1. Come Clean Quickly
Kudos go to TalkTalk for coming clean quickly in the wake of its Oct. 21 breach. Indeed, it's a notable change from the November 2014 breach the company suffered, which it didn't disclose until February 2015. That breach resulted in scammers stealing customers' account and contact details, which they've used to successfully bilk some people out of up to Â£5,000 ($7,700) each. To date, however, TalkTalk has earned no plaudits for its refusal to compensate affected customers, arguing that they suffered no financial loss as a direct result of the attack - as opposed to falling victim to fraudsters. The U.K. Information Commissioner's Office, which enforces the country's data protection laws, is continuing to investigate.
2. Eliminate Well-Known Vulnerabilities
No organization should fall victim to easily preventable SQL injection attacks, such as the one that reportedly felled TalkTalk, which has so far declined to comment on that attack vector, citing the ongoing police investigation.
If reports on the nature of the attack are accurate, however, it means TalkTalk likely didn't have proper defenses in place - in the form of Web application firewalls - and likely didn't test to find and eliminate these SQL injection vulnerabilities.
"This type of vulnerability has been around for many years, yet is still proving to be one of the most effective ways for criminals to breach the security of a website," Dublin-based information security consultant Brian Honan tells me. "Companies need to ensure their Web applications are coded in a secure manner and that they are regularly tested for potential vulnerabilities."
3. Encrypt All PII
While TalkTalk did tokenize stored payment card numbers by removing the middle six digits, all other customer and bank account information was being stored in plaintext. With attackers seeking individuals' contact information for use in scams, security experts say businesses must encrypt every piece of personally identifiable information they store.
"The CEO for TalkTalk stated that some of the customer data was not encrypted because there was no legal obligation to do so," says Honan, who's also a cybersecurity adviser to the association of EU police agencies known as Europol. "This focus on compliance can often leave companies falling short of the goal of being secure."
4. Understand Breaches Will Be Costly
Boards of directors that fail to invest in a proper security program should be prepared for their company's value to plummet, or even to suffer bankruptcy, if there's a data breach.
In the wake of TalkTalk's breach, for example, U.K. legislators have been pillorying the company's security practices, begging the question of how long the brand name might endure. TalkTalk's stock has also become a favorite of short sellers, who expect its value to continue to decline in the wake of the breach, Financial Times reports.
"The biggest driver that I have seen come out of the TalkTalk breach is the 10 percent hit in the company's share price after news of the breach broke," Honan says. "This has a real-world impact on the company and will make cybersecurity an urgent item for the board to address."
5. Security Requires a Cultural Change
While legislators may attempt new legal remedies for the world's data breach epidemic, that won't magically resolve any of the challenges, Honan says. Instead, companies must change their culture - from the top down - to emphasize security.
"More laws will not prevent criminals from attacking websites and systems. Nor will more laws make companies necessarily more secure, particularly if the focus in those companies is on being compliant with laws and regulations," he says. "What is required is a cultural change by consumers, regulators, and governments to ensure companies take a risk-based approach to security."
To rephrase Honan's advice: Don't just talk about security after the fact. Instead get serious well before your organization is breached.