When British telecoms firm TalkTalk was struck by hackers in October 2015, the story made headline news.
CEO Dido Harding (also known as Baroness Harding of Winscombe) went on TV news programmes to describe the hack as “highly sophisticated.”
Within days Harding was telling the press that TalkTalk was “head and shoulders” better than its competitors when it came to security.
I was skeptical at the time that Harding knew what she was talking about, and I’m not changing my position now as I read the Information Commissioner’s Office’s newly-published in-depth report into what was going on at TalkTalk:
…TalkTalk had failed to remove, or otherwise make secure, the webpages that enabled the attackers to access the underlying database. The investigation also highlighted that the database software in use was outdated. It was affected by a bug for which a fix had been made available over three-and-a-half years before the cyber attack but which had not been applied. The bug enabled the attackers to bypass access restrictions that were in place on the database. TalkTalk also failed to undertake appropriate proactive monitoring activities to discover vulnerabilities.
The attack was an SQL injection attack, a common type of cyber attack that has been well-understood for more than ten years and for which known defences exist.
The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages.
So, no… the TalkTalk hack was not “highly sophisticated.” SQL injections are child’s play, and it’s shameful that TalkTalk’s websites were not hardened against such attacks.
Furthermore, it appears that TalkTalk’s database software had not been patched for a vulnerability that had been fixed three-and-a-half years earlier? That’s security 101! You have to keep your systems patched!
Hackers accessed the personal data of 156,959 TalkTalk customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes because of TalkTalk’s incompetence.
Disgracefully, some of the victims of the TalkTalk hack were treated shoddily by the company.
Fining the telecoms firm a record £400,000, Information Commissioner Elizabeth Denham was damning in her opinion of how TalkTalk had protected customers’ personal data:
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
And as for TalkTalk CEO Dido Harding? She saw her pay almost triple to £2.8 million.