Adrian Weckler: Blame the bogeyman - TalkTalk needs better excuses and better security
Published 28/10/2015 | 02:30
What happens when you tell the world your major data breach was a sophisticated international gang - but the only one arrested is a 15-year-old boy?
That's the situation now facing TalkTalk, the British telecoms and broadband company. For the past week, the firm has been solemnly evoking suggestions of crack international criminal syndicates or cyber-terrorists as potential culprits for the hacking incident that exposed up to four million of its customers' sensitive data.
But on Monday, police arrested a 15-year-old boy in Antrim in connection with the incident. Either the boy, who has not yet been charged or officially named, is a tech genius on his way to the American National Security Agency, or TalkTalk's management face some stern post-hacking questions.
Looking at what we know about the incident, it's starting to look like the latter rather than the former.
It's not just that the market erased €400m from the value of the publicly traded TalkTalk, or that this is the third data breach the company has experienced over the past year. It's the culmination of events surrounding the data breach and the company's apparently dismissive attitude to its own culpability.
The telco has said that the incident involved what's known as an SQL Injection Attack. Most security experts describe this as a rudimentary hacking method that should not succeed in a properly protected company. Open up YouTube and you'll find dozens of tutorial videos about how to partially set one up. A 15-year-old could certainly do it.
While further details about the particulars of the attack remain to be released by TalkTalk, other elements of the company's security set-up are embarrassing for the telco. It has admitted that "parts" of its sensitive customer data weren't encrypted and that these included incomplete credit card numbers.
There are also issues around 'plain text' access to passwords that have left security experts highly critical.
The British Parliament is now set to call the company's executives in to explain in more detail how and why the attack happened.
But they may not get too many answers. TalkTalk, like so many companies caught out by hackers of indeterminate skill or expertise, appears determined to reach for clichés and pat responses when answering questions about the incident.
Asked repeatedly why TalkTalk's security systems have proven to be so weak in recent months, company chief executive Dido Harding has resorted to bleating out crisis-management PR phrases designed to make TalkTalk look like no more than a victim of terrifying, ingenious cyber-criminals who can outfox anyone if they wish. "Unfortunately cyber crime is the crime of our century," Ms Harding told the BBC at the weekend.
"Can our defences be stronger? Can any company's defences be stronger? Absolutely… I'm a customer of TalkTalk myself. I've been a victim of this attack."
All the while, the scripted lines are trotted out with an earnest face punctuated with carefully punctuated nods and frowns.
But investigations into high profile data breaches usually yield much more unflattering conclusions. In most cases, companies are found to have overlooked key bits of security that any basic audit would raise.
Encryption is certainly one of them. And in some ways, TalkTalk is in step with modern companies. The last major survey in Ireland on companies' data breach experiences showed that half had suffered at least one data breach in the previous 12 months.