29th October 2015
Talk Talk: On The Breach
Cartwright King is one of the UK’s leading cyber crime specialist solicitors and regularly defends allegations of serious and complex online and computer based crime. We can both defend individuals under investigation and advise companies in respect of procedures they can put in place to minimise the risk and effectiveness of cyber attacks. Call Gary Broadfield on 0161 833 1411 for a free initial consultation.
In the below article Gary Broadfield discusses the cyber attack on Talk Talk.
The “significant and sustained” cyber attack on the Talk Talk website has made headlines around the world in recent days. The incident has been reported to the UK’s data regulator, the Information Commissioner's Office and has also precipitated a criminal investigation by the Metropolitan Police’s cyber crime command which appears to have made swift and significant progress; a 15 year old boy was arrested in County Antrim on suspicion of Computer Misuse Act Offences on Monday afternoon.
It may well be that the receipt of a ransom demand by the chair of Talk Talk is what provided the authorities with the line of enquiry leading to the rapid arrest. Information Security Journalist Brian Krebs at the excellent “Krebs on Security” certainly suggests that the demand was genuine:
…the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company.
Krebs also believes that the hackers may be planning to upload the material to the darknet marketplace “AlphaBay” following posts to that effect by a user “Courvoisier.”
However, although more concrete information is now in the public domain, hard facts are relatively still scarce. The official statement released by Talk Talk admitted that there was a chance that personal data such as names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details had been compromised. However, details of exactly what had happened and what data had been lost were initially scarce, leading to unhelpful speculation. Companies in this situation undoubtedly face a difficult task in achieving balance between their obligations to inform their customers and the relevant authorities and their desire to control and manage the flow of information to the public domain to limit unnecessary damage.
In the initial stages, the reporting of the attack was characterised by the now familiar hysteria that seems to attach itself so readily to large scale cyber crime. Neither the identity of the attackers, nor the scope of the breach were known and speculation was wild. It was suggested that the attack was an act of cyber warfare by Islamic State, seemingly based on nothing more than anonymous posts to internet forums.
It was also speculated that the breach was so severe that the complete bank details of all Talk Talk customers had been stolen and that accounts were thus at risk of being emptied by the hackers. Although some individuals do claim that their accounts have been cleared out by hackers, the circumstances of these and the extent of the issue is still far from clear.
Whilst a statement released by the company on 25th October confirms the severity of the hack was not as significant as had previously been feared, and the progress of the criminal investigation appears to have been rapid, the situation will continue to develop and fallout from the attack will continue for some time yet.
It will be small comfort for Talk Talk if the recent update is correct and the information stolen is not, without more, sufficient to enable the hackers to access bank accounts of customers. Even if the effect was limited to the negative publicity suffered by the company in the last week the attack would have been devastating. The loss of trust in the company by its customers may yet be irreparable.
In terms of share price, the impact of the data breach is stark: following the announcement of the attack, shares dropped by over 10% from 268.12 to 239.67 before recovering to 264.41 then subsequently declining to 225.30 by close of business on Monday 26th October, an overall drop of just under 16% from the pre-attack price.
Financially therefore, the attack has already been highly damaging. Unfortunately for Talk Talk this is likely to be just the tip of the iceberg in terms of the financial cost of the damage. The bad publicity is unlikely to abate as MPs hold an inquiry into the breach. The discontent of customers whose data has been stolen is likely to manifest itself not only in attempts by individuals to cancel their contracts but almost certainly in one or more class action lawsuits against the company; suggesting that it has breached the Data Protection Act and that compensation is payable to the affected customers.
This loss of business and the potential that compensation may be due to customers is exacerbated by the difficulty and cost of investigating the breach, which may well run into many millions of pounds of additional staff and investigative costs relating to expert assistance from third parties like computer forensic analysts.
Staff at the company will have undoubtedly worked round the clock in recent days to investigate the breach and to deal with the consequences. An example of the scale of the work involved is that the company has undertaken to contact each of its four million current customers and an unknown number of former customers in relation to the breach. Current customers are also being offered the protection of a free year’s service with online credit monitoring company "Noddle". In addition the company will then have to investigate the circumstances of each individual complaint or claim made by customers who may, for example, claim that their bank accounts have been emptied by fraudsters.
It has been reported that the services of computer forensic experts have been retained by TalkTalk to examine the technical aspects of the breach to assist in the identification of the attackers and to strengthen defences to ensure that such an attack cannot succeed again. They may well also have instructed specialist public relations firms to deal with the negative publicity of the breach. Equally, the swiftness of the Metropolitan Police’s response to the hack may be partly the result of an undertaking by Talk Talk to pay for some or all of the cost of the criminal investigation.
Finally, it may be that Talk Talk will have to contend with regulatory investigations into the manner in which the data held was stored and administered. By way of example, the ICO recently levied its first fine in relation to an online pharmacy accused of selling the details of 100 000 customers to third parties. If Talk Talk should be found to have breached the data protection principles, similar action could follow.
The damage caused by cyber attacks often far exceeds the difficulty of executing them. Human error, rather than the technological sophistication of the attacker, lies at the root of most successful hacks of a company’s IT and computer systems. Thus, the risks of a successful attack can be avoided by training staff to be mindful of IT and data security and to create a working culture that prioritises security and mitigates risk. It is worth noting here that the October cyber attack on Talk Talk was said to be the third such attack suffered by the company in recent months and it may be that investigation, internal or by a regulator concludes, that warnings from those earlier attempts were not heeded.