For the third time this year TalkTalk have had to publicly admit that their network has been hacked and customer data has been taken. In both January and February of this year they released statements warning customers about stolen data and protecting themselves against fraud and scams. Though these first incidents only numbered in the few thousands of customers affected, it seems bizarre that they haven’t spent the last eight months securing and protecting their network rather than risking letting it happen again. The fallout for TalkTalk and it’s customers aside (my condolences if you’re one of those affected), every other business, no matter its size, should start learning some serious lessons from this about making sure their network, and the data it holds, are completely watertight.
With TalkTalk it started with a fairly basic form of attack called DdoS or ‘Distributed Denial of Service’ which, for those who aren’t already aware, is a brute force attack where multiple computers are set to repeatedly connect to, or ‘ping’, a particular server loading it down with the sheer weight of connections until it becomes inaccessible. Servers have a finite number of connections they can handle at once so for a major system like TalkTalk it either means a vast number of machines were involved or, more worryingly, their server setup is less than competent and doesn’t include some fairly basic protection against such intrusions.
DdoS attacks are typically used by hackers against websites for companies they have some ideological beef with, environmentalists against Coca Cola for a possibly slanderous example, as the result is usually only that the site goes down for some time. It’s embarrassing for the company and the site host (they are rarely hosted by the company themselves) but its effects are more symbolic than damaging. In the case of TalkTalk the hackers went an extra step and used the server restart to access it at a vulnerable time and remove as much data as possible before any protection could fully kick in and kick them out.
A DdoS attack isn’t new, it’s in fact probably one of the oldest forms of cyber attack and most modern protection has safeguards in place to identify suspicious connections that follow the pattern and block them before it becomes a problem. These may well have been in place at TalkTalk, it would be speculation to say either way, and until more details about how the hack was achieved it won’t be possible to say what defenses were and were not in place. For every other business that still doesn’t prioritise their network security however, this has got to be the final wake up call. Any business could be targeted by hackers for the valuable data they hold. Large companies tend to get targeted by the over-ambitious hacker looking to make a name for themselves and get their fifteen minutes in the spotlight. The hackers looking to make money from selling financial data are the ones who will target the smaller business where security isn’t so tight and the threat of national exposure is much reduced.
If nothing else the lesson to learn from TalkTalk is that all companies have a responsibility to ensure that their customer data is kept as securely as possible. Whether this means ‘orphan’ data, where details like name and credit card number are kept separately to prevent identification, or high level encryption, the potential financial or reputation losses to a business vastly outweigh any savings involved. Especially if the Information Commission follows through with their plans to force companies to encrypt their data through regulation.
Posted to In the Media