26
Oct

TalkTalk starts a national conversation on Cyber Security

cyber-security
Cyber security is a topic that is always on the agenda at Borough IT, however until recently it has failed to grip the national consciousness.  The ongoing debacle at TalkTalk has changed all that – exposing the vulnerability of a major communications firm in allowing hackers to make off with the personal data (including bank details) of over four million UK customers.

It is not the first time that TalkTalk has raised questions over the security of customer’ data, but the scale of the latest breach has made the headlines and given everyone cause to sit up and think about the security of their own online information.

In essence, the risk to individuals is that personal data can be appropriated by criminals who can cross-reference other data and build a full profile, thus allowing them to steal identities; obtain credit; and access bank accounts and all private information.

Businesses that store customer data have a responsibility to protect that information and ensure it does not land in the hands of hackers.  There is currently no mandated requirement for these businesses to adhere to any particular information standard (and obtaining these standards can be prohibitively expensive for small businesses) so they are simply expected to take reasonable measures to protect against breaches.

The cause of much of the alarm around the TalkTalk hack has been that if a telecommunications company the size of TalkTalk cannot protect their customers – what hope for everyone else in defence against increasingly sophisticated cyber criminals?

As further details about the hack have emerged, it has become clear that the hack in question began with a DoS attack to create a diversion, while the hackers extracted the data via SQL injection methods. This is not at all a sophisticated hack and has raised further questions about how TalkTalk could allow cyber criminals to swipe customer data in this crude way.  While the age of the technology used has been questioned, it is entirely possible to have a completely secure database whilst using older technology – however problems will arise when aging technology is combined with poor coding practices.

The other question for TalkTalk relates to the level of testing that their databases underwent as sufficient penetration testing would have revealed this weakness.  This is a valid charge, however the problem is much more likely to have germinated later with the addition of pages and functions not part of the original system.  

When we at Borough IT look at security weaknesses in websites, we often find they are as a result of development outside of the IT department.  Something is added quickly and the option of pricey regression testing is dismissed (if it is even discussed in the first place.)  It is entirely possible that it is due to a scenario such as this that TalkTalk find themselves in the situation they are in today – having lost the data and the trust of their customers and achieving front page news for all the wrong reasons.

Deeply worrying for those customers with stolen details (and indeed for TalkTalk themselves), this event has at least highlighted the potential damage that can be done by cyber criminals and eye-watering statistics about the sharp rise in such activity prove this is something we should all be armed against. This puts the need for adequate base levels of cyber security on the national agenda – and in the long run that can only be a good thing.