Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Ali Qassim
Nov. 5 — The high-profile cyberattack on U.K.’s telecommunications company TalkTalk Telecom Group Plc has underlined the reputational threats to organizations that face a major hacking incident, attorneys and security consultants told Bloomberg BNA.
The Oct. 21 attack on TalkTalk's website has raised questions as to whether current law sufficiently encourages firms to establish greater safeguards and whether the U.K. government needs to further ramp up its efforts against cybercrime, they said.
It also raises the issue of whether businesses are taking sufficient steps to avoid similar threats, they said.
Although initially believed to have impacted on up to 4 million of its U.K. customers, TalkTalk said, in its latest update, that the exposed compromised data was “significantly less than originally suspected”.
As of Nov. 4, detectives from the London Metropolitan Service's Cyber Crime Unit and officers from the National Crime Agency have arrested and subsequently released on bail, four male suspects.
“If indeed this proves to have been an attack carried out by script kiddies instead of by professional cybercriminals, it will be double embarrassing for TalkTalk,” Rik Turner, a senior analyst at information technology company Ovum, told Bloomberg BNA.
Victoria Leigh, a litigation partner at Squire Patton Boggs in London, told Bloomberg BNA that the “difference between a lone cyber-hacker versus organized groups is fairly minimal with regards to the steps companies take to protect themselves against breaches. At the end of the day the outcome can be the same” regardless of the nature of the hackers.
The TalkTalk incident highlights how, “apart from issues around personal data” companies in non-technology or consumer-facing industries “are starting to come to grips with how breaches could impact business-critical operations such as a firm's intellectual property,” she said.
During an Oct. 26 emergency session of Parliament, a member asked whether there is a case for requiring encryption of customer data.
The question was prompted by TalkTalk's admission in an Oct. 27 questions and answers statement that “not all of the data” that was hacked was encrypted. The company, however, stressed that “credit and debit card details were tokenized, which is a standard higher than encryption.”
According to a spokesman for the U.K. Information Commissioner's Office, while the DPA requires organizations “to keep personal data secure,” it doesn't “specify how that should be done.”
According to Alena Vranova, the chief executive officer of Prague-based SatoshiLabs, it is ironic that the U.K. government is proposing in the context of allowing government access to data to ban end-to-end encryption. That is “the very tool that could help mitigate or even prevent disasters similar to the TalkTalk hack.”
Vranova told Bloomberg BNA that “instead, the actual solution from governmental should be support for end-user encryption of digital assets, which would lead to a reduction of hacks and fraud.”
In its draft Investigatory Powers Bill introduced Nov. 4, the government said it won't ban end-to-end encryption as previously thought but the outcome of the proposals won't be known till next year.
In the Oct. 26 Parliament session, MP Chi Onwurah questioned Minister of Culture, Media and Sport Ed Vaizey on the government's plans to improve its data security efforts, including its oversight of cybercrime issues. Onwurah described the government's approach as “chaos illuminated by occasional flashes of incompetence.”
Vaizey replied that the government has invested more than 860 million pounds ($1.32 billion) over five years in the national cybersecurity program.
Vranova questioned whether the government's cybersecurity framework is effective.
“For example, changing passwords on a regular basis is a good idea in general. But within the cybercrime context, a teenage hacker may relatively easily install a key logger to a remote computer and simply record even the most secure password,” she said.
In addition, increased regulation can impose procedural burdens on companies, which “is costly and may not dramatically slow down cybercriminals.” Last year, 3.8 million adults in the U.K. and Wales were victims to credit card fraud, she said.
Turner said that although there are signs that the government “is taking cybersecurity more seriously and spending enough on appropriate policing,” the private sector “must also up its game.”
More company leaders should prioritize cybersecurity. “There is definitely too little awareness” of information technology issues by chief executive officers, he said.
Vranova agreed that “companies should rethink their strategies from the ground up” for instance about greater minimization of data. “There's always a certain amount of data absolutely needed to conduct business but companies may find creative ways to reduce the amount of high risk data such as credit card records in their systems,” she said.
To contact the reporter on this story: Ali Qassim in London at firstname.lastname@example.org
To contact the editor responsible for this story: Jimmy H. Koo at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)