TalkTalk CEO Defends Security Strategy To MP Committee

The devastating hack on TalkTalk could not have been fully prevented, the CEO of the embattled ISP has insisted before a committee of MPs.

Dido Harding’s statement comes despite concern from some security experts that TalkTalk has not learned its lessons from the hack, and remains vulnerable to another cyber attack.

TalkTalk Hack

TalkTalk was hacked in late October, and the attack resulted in the theft of the personal details of 156,959 customers. It was eventually revealed that 15,656 bank account numbers and sort codes had been accessed, as had 28,000 obscured credit and debit card numbers.

It has emerged that TalkTalk was not accredited by Cyber Essentials, a government-backed scheme that was launched in June 2014 to help organisations protect themselves against digital attacks, but Harding is adamant this would not have fully prevented the attack.

The ISP is currently in the process of getting accreditation, but Harding was quoted by the Guardian newspaper as saying that she did not know if Cyber Essentials was a sufficient benchmark for protection.

Harding was giving evidence to the House of Commons culture, media and sport select committee, which has launched an inquiry into the hack.

“Cybercrime is the crime of our generation, it is growing exponentially, and we all need to learn more …” Harding reportedly said. “You can’t say you are 100 percent certain that your measures are going to keep everything secure. Criminals only have to get lucky once.”

Harding said that she was accountable for the hack because cybersecurity was a board-level issue. She admitted her company could have done more to protect itself and revealed that there is no one single executive in charge of security at the firm.

Buck Stops here

“The line responsibility for keeping our customers’ data safe is split among a number of teams,” said Harding. “It’s impossible in a telecoms company to say security only sits with a director of security. If there is a criminal attack, the question is was there a sufficient oversight by the board.”

And Harding insisted that encryption is not the only solution, as encryption on its own is “not a silver bullet.”

“Every British company is being targeted by cybercriminals every day,” she was quoted as saying. “One of the interesting things we have learned is that it’s only telecoms companies that have an obligation to report breaches to the ICO [Information Commissioner’s Office]. The truth is that none of us know what of our personal data may have been stolen from other sources.

“On Pastebin, if you search for literally any consumer brand in the UK, you will find consumer data. I absolutely agree that all of us need to be more on this, you can see from TalkTalk’s experience over the past 12 months we’ve been doing more and more.”

Harding then told MPs that a review into the breach needs to establish whether it was avoidable. If it was, the the ISP will have to consider “grade-level resignations”. She said TalkTalk has closed the vulnerability and she was confident that the ISP had improved its security.

Ongoing Investigation

She also pointed out that less than four percent of TalkTalk customers were affected by October’s breach and that none of the data taken would enable a criminal to steal money.

Last month police arrested yet another teenager in connection the hack of TalkTalk. The 18-year-old youth from Wales was arrested in an investigation has so far seen the arrests of four other youngsters.

The police initially arrested a 15-year-old boy from Northern Ireland and a 16-year-old boy from Feltham, west London, in connection with the attack. They later arrested a 20-year-old man in south Staffordshire and a 16-year-old boy in Norwich.

All were arrested for suspected of Computer Misuse Act offences and have been bailed pending further inquiries.

Are you a security pro? Try our quiz!