It seems staggering that a technology provider like TalkTalk should resort to ignorance as it’s line of defence and yet that’s just what the company did when faced with the results of the investigation by the Information Commissioner’s Office. The company ‘did not know’ the vulnerable web pages subjected to at least three separate SQL attacks existed and was ‘unaware’ that the installed database software had not been patched for three and a half years that it inherited from Tiscali.
What’s interesting is that the fine was levied as the result of an attack – and no doubt that’s the tack TalkTalk was taking when it sought to defend itself as the victim – but the ICO as having none of it, saying the fine should act as “a warning to others that cyber security is not an IT issue, it is a boardroom issue.” This time around, TalkTalk would not be talking itself out of trouble.
What is clear is that the probing and reconnaissance carried out by the SQL attacks launched against TalkTalk in July, September and finally October 2015, can and should have been prevented. There was a clear lack of due diligence at the time of the Tiscali takeover, followed by poor auditing of the information estate, and finally poor security monitoring and patch management as an ongoing activity.
SQL injection is by no means a complex attack and is very common. It essentially sees the attacker execute a malicious payload of SQL statements to the web application’s backend database in a bid to access the data housed there. It’s simple to avoid this type of attack by ensuring web application developers adhere to some simple guidelines as stated by OWASP.
Poor coding aside, there’s also the option of automated network monitoring and detection that should have spotted these attempts and triggered an alarm. But only if that database had been included in the company assets and this illustrates just why this is not an IT issue: what was missing here was a basic failure to properly integrate one company’s assets with those of another and that has to be down to the fundamental way the company was run.
It’s also worth noting that the ICO investigation itself was limited to the failure of TalkTalk to adhere to the Data Protection Act. There’s simply no knowing, therefore, what level of security monitoring was in place nor whether there were other issues regarding the management of the information estate at this stage.
What is clear is that it’s this lack of a holistic approach to security that is proving to be the undoing of many organisations. We have the technology at our disposal to monitor these networks and even perform advanced network monitoring to ensure anomalous actions are logged but without anyone to oversee that, this information becomes useless. Without the human in the machine, cyber security cannot function effectively. There needs to be a cultural change in these organisations that enables the CEO to have visibility of the information estate, security controls and remediation so that security doesn’t get sidelined.
The £400,000 fine is the biggest issued by the ICO to date but it pales into insignificance compared to the other costs to the company. TalkTalk has already shelled out £35million in costs attributed to remediation and loss of revenue and then there’s the costs in terms of reputation to consider. The company’s handling of the incident was less than ideal, with many jittery customers told they were bound to their contracts and by January, that strategy had backfired with the company losing seven percent of its customer base.
For the members of the board, the story doesn’t end there though as the Metropolitan Police are also running a separate criminal investigation. That could well mean there will be further repercussions for the individuals involved.