I was slightly bemused when I saw the ex TalkTalk CEO was standing up at Infosecurity 2018 to give a presentation of Cyber Security – a presentation, I presume she was rewarded for. The first thing that passed through my mind was, Infosecurity is a security event, agreed very much focused on commercialized sales pitches, and wondered just how hearing how the TalkTalk debacle, and the post event PR disaster would help reinforce the Cyber Security mantra – but as a contact said to me, let’s see what the Baroness has to say.
As a refresher here to the case of TalkTalk in 2015, the Data Commissioner of the day Elizabeth Denham said:
“Talk Talk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.
According to a report in the Register, at Infosecurity 2018, Harding blamed the matter of Legacy apps and systems for the event – AKA stuff that is out of date (let us not mention that dead horse PCI-DSS please), and commented that it was SQL Injections that had played its part in the hack, exposing multiples of users to cyber fraud opportunities etc. However, what the Baroness did not say was (according to a reliable insider source of the day) the Board were made well aware of the security shortfalls around one year before the event actually took place, but as so many companies do, relied on the ‘it has not happened, so why pay to fix it’ – thus manifesting in the security issue the company encountered in 2015 which exposed 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes. It is further rumored that TalkTalk recived a discount on the fine that was imposed on them – I guess to qualify that snippet a quick FOI would suffice.
It is also simply amazing that Harding declined to answer a question from the hall, and another submitted online about whether, and how the size of TalkTalk’s security budget and team changed in response to the breach. The Tory peer admitted TalkTalk “could have done more” (or just apply the basic stuff which was not in place) to prevent the attack and that the security budget did go up – without going into any detail whatsoever. However, I understand from my sourece that at the time this was not commensurate with the actual requirement. It may have also been an advised practice to have declined the request from the organizers, and of course the fee she was paid in consideration of digging up, what was, and is now current day dirty washing – not making anything better for the ex-company, but refreshing the mind of the observers, with not such a good commentary or position on Cyber Security.
This on top of last years honored individual who enter the hero category of Infosecurity – Marcus Hutchins, who is now under further investigation by the FBI. This leaving me wondering if Infosecurity Team do understand what the real mission here is – beyond the hype, PR, and underpinning the commercial interests of the vendors to sell more – which in several cases will become Shelfware!
But fear not, as we move forward I am guessing the Infosecurity Backroom Team will also be already planning next year’s event to present more such interesting topics at Infosecurity 2019 – maybe in 2019 we will see Paul Pester of TSB fame talking about system sustainability and responding to the need to provide real time support and continuity for the customer – only time will tell.