The UK Government’s report on the TalkTalk breach was published on the 17th June 2016 after a long review that extended from the initial breach in October 2015.
The report represents something of a landmark in the UK’s computer security sector with the recommendations being made to the government that could have consequences for many businesses, both large and small, with the report highlighting that parliament believe ‘cyber-crime is a significant and growing problem and affects all sectors with an on-line platform or service’.
Reading the published report takes a long time, with many areas of the cyber-breach being examined, however in this article I will attempt to relay the key points, essentially providing a breakdown of the bits worth reading in more detail. Firstly, as both the report states and I will re-iterate, the Information Commissioner’s Office has not yet commented on the TalkTalk breach, and has not contributed to the report, quoting a lack of staff to deal with the influx of work they are receiving – although this subject alone is long enough to prompt another blog altogether.
The TalkTalk report welcomes the response made by TalkTalk, and the leadership under Dido Harding, with the public declaration of the attack coming the same day as the discovery of the breach. This is an important factor to consider when dealing with any cyber-attack where customer data is likely to have been breached. Many companies choose to keep their cards close to their chest, waiting to discover the true extent of the breach, the damage that has been inflicted and the damages they may be liable for prior to any announcement. Such actions may be commercially important for the business, but doing so also removes the ability for customers to change their passwords that could have been stolen or keep a closer eye for any suspicious transactions. The report builds on this idea, suggesting escalating fines based on the delay of the breach will be announced.
One recommendation made in the report is that the Government should ‘initiate a public awareness-raising campaign, on par with its campaign to promote smoke alarm testing’. This is a welcome recommendation, with the vast majority of security attacks succeeding due to human error, or naivety. To assist with this, the recommendation is for businesses to supply customers with guidance to ensure their data and contact is genuine.
One of the major points raised by the report is the suggestion that the Information Commissioner’s Office should implement a series of escalating fines, with more ‘common’ attacks resulting in larger fines. Building on the idea of ‘ignorance is not an excuse’, a company should not be able to claim they did not know simple methods of hacking, such as the SQL injection example given in the report, exist. Measures must be put into place with regular cyber-security testing.
The report also touches on the Investigatory Powers Bill that is currently before parliament. The report suggests that the security of storing vast amounts of personal data must be ensured and should be ‘addressed urgently’ before any such bill takes place in law.
As part of the written evidence supplied during the proceedings, a short report by Symantec, states it well: ‘Attackers are moving faster and defences are not’. One of the key issues that the report inadvertently proves itself – the report was published in June of 2016 – addressing an issue already over 8 months old. If the security industry is to be taken more seriously by the Government, faster methods of completing investigations into the matter needs to be found.
The full report, for those interested in reading the full document, is available at: http://www.publications.parliament.uk/pa/cm201617/cmselect/cmcumeds/148/14802.htm