TalkTalk Breach Reveals U.K. Cybersecurity Weakness

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Nov. 5 — The high-profile cyberattack on U.K.’s telecommunications company TalkTalk Telecom Group Plc has underlined the reputational threats to organizations that face a major hacking incident, attorneys and security consultants told Bloomberg BNA.

The Oct. 21 attack on TalkTalk's website has raised questions as to whether current law sufficiently encourages firms to establish greater safeguards and whether the U.K. government needs to further ramp up its efforts against cybercrime, they said.

It also raises the issue of whether businesses are taking sufficient steps to avoid similar threats, they said.

Although initially believed to have impacted on up to 4 million of its U.K. customers, TalkTalk said, in its latest update, that the exposed compromised data was “significantly less than originally suspected”.

As of Nov. 4, detectives from the London Metropolitan Service's Cyber Crime Unit and officers from the National Crime Agency have arrested and subsequently released on bail, four male suspects.

Cyberattacks Hit Reputation

“If indeed this proves to have been an attack carried out by script kiddies instead of by professional cybercriminals, it will be double embarrassing for TalkTalk,” Rik Turner, a senior analyst at information technology company Ovum, told Bloomberg BNA.

Victoria Leigh, a litigation partner at Squire Patton Boggs in London, told Bloomberg BNA that the “difference between a lone cyber-hacker versus organized groups is fairly minimal with regards to the steps companies take to protect themselves against breaches. At the end of the day the outcome can be the same” regardless of the nature of the hackers.

The TalkTalk incident highlights how, “apart from issues around personal data” companies in non-technology or consumer-facing industries “are starting to come to grips with how breaches could impact business-critical operations such as a firm's intellectual property,” she said.

End-to-End Encryption 

During an Oct. 26 emergency session of Parliament, a member asked whether there is a case for requiring encryption of customer data.

The question was prompted by TalkTalk's admission in an Oct. 27 questions and answers statement that “not all of the data” that was hacked was encrypted. The company, however, stressed that “credit and debit card details were tokenized, which is a standard higher than encryption.”

According to a spokesman for the U.K. Information Commissioner's Office, while the DPA requires organizations “to keep personal data secure,” it doesn't “specify how that should be done.”

According to Alena Vranova, the chief executive officer of Prague-based SatoshiLabs, it is ironic that the U.K. government is proposing in the context of allowing government access to data to ban end-to-end encryption. That is “the very tool that could help mitigate or even prevent disasters similar to the TalkTalk hack.”

Vranova told Bloomberg BNA that “instead, the actual solution from governmental should be support for end-user encryption of digital assets, which would lead to a reduction of hacks and fraud.”

In its draft Investigatory Powers Bill introduced Nov. 4, the government said it won't ban end-to-end encryption as previously thought but the outcome of the proposals won't be known till next year.

U.K. Government Plans Questioned 

In the Oct. 26 Parliament session, MP Chi Onwurah questioned Minister of Culture, Media and Sport Ed Vaizey on the government's plans to improve its data security efforts, including its oversight of cybercrime issues. Onwurah described the government's approach as “chaos illuminated by occasional flashes of incompetence.”

Vaizey replied that the government has invested more than 860 million pounds ($1.32 billion) over five years in the national cybersecurity program.

Vranova questioned whether the government's cybersecurity framework is effective.

“For example, changing passwords on a regular basis is a good idea in general. But within the cybercrime context, a teenage hacker may relatively easily install a key logger to a remote computer and simply record even the most secure password,” she said.

In addition, increased regulation can impose procedural burdens on companies, which “is costly and may not dramatically slow down cybercriminals.” Last year, 3.8 million adults in the U.K. and Wales were victims to credit card fraud, she said.

Private Sector Must ‘Rethink’ Cybersecurity 

Turner said that although there are signs that the government “is taking cybersecurity more seriously and spending enough on appropriate policing,” the private sector “must also up its game.”

More company leaders should prioritize cybersecurity. “There is definitely too little awareness” of information technology issues by chief executive officers, he said.

Vranova agreed that “companies should rethink their strategies from the ground up” for instance about greater minimization of data. “There's always a certain amount of data absolutely needed to conduct business but companies may find creative ways to reduce the amount of high risk data such as credit card records in their systems,” she said.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com