20 Dec 2016

The revelation that a teenager was responsible for causing a multi-million-pound data breach at TalkTalk sends a clear message to all businesses.

The revelation that a teenager was responsible for causing a multi-million-pound data breach at TalkTalk sends a clear message to all businesses – failing to take a proactive approach to cyber security, risks huge financial and reputational consequences.

The 17-year-old boy responsible for the data breach used legal hacking tool software to identify TalkTalk’s vulnerabilities and told magistrates: ‘I was just showing off to my mates.’ TalkTalk’s website was targeted more than 14,000 times after the boy shared details of the security flaw online.

As revealed in the Information Commissioner’s Office’s (ICO) investigation of TalkTalk, the cyber attack could have been prevented if the company ‘had taken basic steps to protect customers’ information.’ As we reported in October, the unintentional nature of the breach proved to be no defence. The hacker used a common technique which TalkTalk had experienced twice that same year, leading to the finding by the ICO that it should have been more aware of the risks and acted to prevent them.

The teenager was given an £85 fine and a 12-month youth rehabilitation order which seems inconsequential compared to the losses TalkTalk has suffered, with reported costs of £60 million and more than 100,000 customers walking away.

Appropriate and effective security measures

Cyber crime has become more sophisticated and structured in recent years, but as this case proves, the criminals behind it can take all forms and use legally accessible tools, so should never be underestimated.

Any business risks a cyber attack, so must consider that it’s not a question of if it happens, but when. To minimise this risk, it is essential that appropriate and effective security measures are in place to protect personal data.

Companies must proactively assess existing data security measures and identify and address any risks. This process requires a risk awareness culture. This can be achieved by implementing and updating effective data protection and fraud prevention policies. The processes and procedures within these policies should tie into the organisation’s HR policies, including regular awareness training for all staff on key issues such as the dos and don’ts of big data usage and compliance.

HR must also regularly report to management to ensure ongoing compliance and effective monitoring, particularly to ensure that a strong message is sent from the top down. This reporting should be supported by a robust crisis response strategy, which is ready to action in the event of a cyber attack.

Supply chain security

TalkTalk has come under increasing scrutiny by regulators and the media since its data breach. For example, the BBC has recently presented the company with evidence that many of its customers’ router credentials have been hacked, putting them at risk of data theft.

As well as leading to further criticism about TalkTalk’s complacency regarding data security, this underlines another important issue. Businesses must also assess their suppliers to check that they have appropriate measures in place to protect data, and if required, control access.

If information gets into the wrong hands, like any valuable asset it can be exploited in many ways, including fraudulent activity.

Financial penalties and the GDPR

Companies that fail to protect themselves could face financial penalties which will soon be higher under the General Data Protection Regulation (GDPR)that comes into force in all EU Member States in May 2018. Despite Brexit, UK data protection legislation seems likely to remain the same or mirror the GDPR, so will still need to be complied with.

The GDPR will give national regulators the power to impose fines of up to €20 million or 4% of annual worldwide turnover and there will be more onerous obligations imposed on businesses.

For example, businesses in all sectors will have to report a serious data breach within 72 hours – currently it can be years before these are uncovered as highlighted by Yahoo, which has just admitted that data from more than 1bn user accounts was compromised in 2013.

Meeting these additional obligations will require effective reporting structures between internal stakeholders such as IT departments, legal and management teams.

2016 – a memorable year (for all the wrong reasons!)

2016 has been a year where hacking stories and data leaks have become all too familiar. From TalkTalk through to the US presidential campaign and most recently Yahoo, the breaches are vast and the impact widespread regardless of the size or scope.

It’s clear that no business or individual is immune to a cyber threat. Whether the cyber criminal is a teenager or a sophisticated gang, without a proactive stance to cyber security, the outcome is likely to be the same – commercial and reputational damage that will be difficult, if not impossible, to undo.