In arguably the most famous hacking case of 2015, telecoms company TalkTalk suffered a catastrophic cyber attack towards the end of October. Details emerged slowly, but eventually the news media revealed that up to 4 million customers may have had their names, credit card and bank details stolen.
The hacking of web-facing organisations is becoming increasingly common so it is important to take this kind of incident and learn from the mistakes that were made. This is the most effective way to help other businesses from suffering the same kinds of attacks. But to learn from the mistakes, we first need to understand exactly what happened to the telecommunications giant.
Here, tech expert Mike James – working with cyber threat prevention specialists Redscan, dig deeper into the TalkTalk story, the implications and lessons to be learned for large organisations.
It all began when TalkTalk customers began having trouble getting on to the website. The company believed it was under a Distributed Denial of Service (DDoS) attack, where the website is overwhelmed with fake traffic which effectively causes the system to break. TalkTalk was able to identify this problem and shut down their internal systems.
However, it now appears that the DDoS attack was a simple piece of misdirection to distract the company from a second attack that was stealing sensitive data. This is one tactic that cyber criminals are beginning to exploit – using one attack to confuse a business and cover another intrusion.
The first lesson to be learned is that you need to consider the possibility that if your website is suffering one form of attack, there might be something worse going on. Don’t focus all of your efforts on the obvious issue – be mindful that there could be a deeper attack happening. It can be easy just to think about the immediate threat but you need to remember that hackers are becoming increasingly sophisticated and advanced; this kind of technique is now commonplace.
The fact that the hack was successful is enough of a problem for TalkTalk and its cyber security, but there is an additional issue that makes the whole episode so much worse. After a few days offering very little information about what had happened, the company announced that some of the data that has been stolen had not been encrypted.
It is undoubtedly right that the company should be criticised for this lack of encryption. While encrypting data is not a fix-all solution, it does make it far more challenging for hackers to get what they want from their cyber attack.
The second lesson is that if you are a company that handles lots of sensitive personal data – and therefore could easily be the target of hackers – you need to properly encrypt all of that data. Of course, you will always need to have a way to access the data in your database so it will naturally always be possible for advanced cyber criminals to get what they are looking for. But leaving large areas of your database free from encryption simply makes your business look like an easy target. And there is nothing that hackers gravitate towards more than an easy target.
One aspect of the case that makes it so disappointing from TalkTalk’s perspective is that the company had already been hit by two high profile attacks in the previous year. This indicates that these attacks were not taken seriously and that no changes to security or strategy happened as a result of them. When you combine this with the fact that the business has been accused of a number of security issues regarding a lack of compliance to credit card payment system standards, it shows that the company has consistently mismanaged their cyber defences.
So the third lesson that can be learned from the hack is that you need to learn from your mistakes. Unlike TalkTalk which saw multiple security breaches and did not act, it is always sensible to take serious action whenever you encounter any problems with hackers.