denisovd - Fotolia
TalkTalk could be facing huge compensation costs in connection with the recently disclosed cyber attack and potential breach of the personal data of its four million customers.
Less than a week after the news that Sony Pictures is to pay $8m in compensation to former employees affected by data leaks that followed a cyber attack on the company in 2014, TalkTalk is facing a similar situation.
While Sony is unlikely to be affected by the payout in the long run, some commentators have suggested that the future of TalkTalk could be in jeopardy, with lawyers looking at compensation claims of £1,000 on behalf of thousands of customers and the total lost income expected to be as high as £75m, according to the Daily Star.
But the exact number of customers affected is still unknown, making it impossible to estimate what the total compensation cost could be.
TalkTalk has confirmed that defence company BAE Systems is to investigate the cyber attack that could have compromised the personal data of its customers.
BAE's Applied Intelligence division spokeswoman said the company's cyber specialists are analysing "vast quantities" of data to help establish how the breach took place and what information was stolen, according to the International Business Times.
Scotland Yard is also investigating alongside the National Crime Agency, but no arrests have been made.
Officers are examining a ransom demand sent by someone claiming to be responsible for the attack and seeking payment – but TalkTalk said it is not yet clear if the message is genuine.
The data breach is also under investigation by the Information Commissioner’s Office (ICO), which is currently empowered to impose a monetary penalty of up to £500,000 if TalkTalk is found guilty of severe data protection failings.
TalkTalk has downplayed the potential impact of the breach, emphasising that only its website was attacked and not its core systems, which means only partial credit card numbers were exposed, making them theoretically useless to cyber criminals.
“We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account,” the company said in a statement.
Loss of personal data extremely serious
However, cyber security experts have said the loss of personal data alone is extremely serious. “Media outlets focus heavily on the stolen credit card numbers, however, in practice, for the average person the theft of personal data is much more critical,” said Imperva co-founder and CTO Amichai Shulman.
“My advice to customers would be to keep a close eye for fraudulent activity on bank accounts and be particularly vigilant of phishing attacks,” he added.
The theft of financial information credit card or account information has a limited lifespan because these things can be changed, said HP Data Security vice-president Andy Heather.
“But the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed,” he said.
Read more about data breaches
- Hackers may have accessed the payment card details of up to 3,500 customers, warns finance publisher Dow Jones
- HIV clinic data breach shows lessons not learned
- More than 70% of executives say their organisations do not fully understand the risks associated with data breaches
- Most large enterprises already know much of what they need to put in place to protect themselves against data breaches – they just have not done it all
According to Heather, the selling price for a single stolen credit card is around $1, but if that card information is sold with a full identify profile, that can dramatically increase up to $500.
“If the cyber criminals know where the real value is then surely we should all expect a responsible organisation to pay appropriate attention to keeping our personal information safe,” he said.
“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected.”
According to TalkTalk chief executive Dido Harding, cyber attacks are happening to a huge number of organisations all the time.
“The awful truth is that every company, every organisation in the UK needs to spend more money and put more focus on cyber security – it's the crime of our era,” she told the Telegraph.
Harding said it was “too early to say” whether the company will establish a compensation fund to handle the fallout from the attack because it was still unclear how many customers had been affected and to what degree, according to the Guardian.
Encryption will not stop all cyber crime
While TalkTalk has been criticised for not ensuring that all data was encrypted, some security experts have pointed out that encryption will not stop all cyber intrusions.
While encryption will ensure that any raw data captured by cyber criminals is unusable, independent security consultant Graham Cluley pointed out that a high proportion of data breaches are carried out using compromised credentials.
This means the data is accessed using the credentials of legitimate users, which in turn means the data will be decrypted automatically when it is accessed by a criminal using stolen credentials.
If a hacker uses a SQL-injection vulnerability or any other vulnerability to get root priviledge, the hacker can then log on as any user, said Cluley.
“And because he's an authorised user, he has all the access to the sensitive database that the kosher user has,” he wrote in a blog post.
Tim Erlin, director of IT security and risk strategy at Tripwire, said that while it is important for any organisation that collects, stores or transmits personal information to ensure the data is encrypted at rest and in transit, encryption alone is not a perfect solution to data theft.
“The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use,” he said.
However, business advisory firm CEB said that when responding to the news of the potential personal data breach at TalkTalk, other organisations should not focus on investing in new technology alone.
CEB IT practice leader Jeremy Bergsman said the cyber attack on TalkTalk has led many other organisations to consider what can be done to stop these kind of attacks.
“While many companies are focused on fancy new security tools that attempt to leverage big data, it turns out that a focus on the basics is more important,” he said.
Bergsman said research shows that more than 99% of successful data breaches in 2014 exploited a vulnerability that was more than a year old, while more than 50% of breaches are the result of employee behaviour, such as opening a phishing email with damaging links or attachments.
“The fact that most breaches could have been stopped by patching known vulnerabilities or avoiding employee mistakes shows that the most important thing for an organisation to focus on is basic protections consistently applied, and helping employees understand their role in keeping information safe and having clear policies on risk and compliance,” he said.
“At the same time security controls can’t be too much of a burden; chief information security officers need to realistic about the demands on employees’ time and resources.”