On Tuesday TalkTalk CEO Dido Harding appeared before the Culture Media and Sport parliamentary select committee to answer questions on the recent hacking of customer data from the company. The committee began by pressing Harding on who has responsibility for security at TalkTalk, her response was emphatically that security is a “board level issue” and that ultimately the buck stops with her.
Clear confusion about different types of IT security
One issue that was highlighted during questioning was the relationship between TalkTalk’s data and how it’s accessed by third party suppliers. This has already been the cause of a number of breaches, yet MPs did not ask deeper questions about the nature of these breaches and how TalkTalk secures how third party suppliers access and use their data.
Jesse Norman MP, who chairs the committee was interested in getting answers on the cause and nature of the hack, and he had done his research. He speculated (as has been widely reported in the media) that this was an SQL injection attack and surely was preventable if the web servers hosting the SQL database were correctly secured. For many of us, these questions where the ones we were really interested in hearing an answer to. What was the precise nature of this attack? And why had TalkTalk not done a better job of preventing it? Those of us who wanted those answers were disappointed. Harding immediately referred to the active police investigation and is therefore conveniently unable to give details on the hack. She was also very keen to make sure that the committee is aware that this attack was not simple, describing it as “multifaceted” and that the hackers managed to find “a needle in a haystack of haystacks”.
Cyber security is now TalkTalk’s number one risk (easy to say after you’ve been hacked) and spending on information security has risen in the company and will continue to rise. Harding outlined investments that had been made in DLP and encryption. But there was no mention of improving access control in any way. You would expect given the concerns around what hackers can do once inside and the clear issues raised by working with third parties that there might be more action in this area.