TalkTalk: Dodo Dido, the CEO in denial and with her head in the sand
via Flickr © dtaylorcreative (CC BY-ND 2.0)
- TalkTalk very careful to protect its own data but cavalier with anyone else's.
- Three cyber-attacks in a year but no Information Security Officer in post and little action taken.
- Nonetheless, CEO says TalkTalk's security is "head and shoulders" above other ISPs.
- If that's the case then, as Private Frazer of 'Dad's Army' says , "We're all doomed I tell you! Doomed!"
Ostriches are the creatures usually associated with attempting to escape looming reality by shoving their heads neck deep in the ground (and, for all we know, then whistling "Dixie" while they are down there) but Diana Mary "Dido" Harding, (aka the Conservative Life Peer, Baroness Harding of Winscombe of Nether Compton in the County of Dorset), the chief executive of the TalkTalk Group is much more of a dodo - facing imminent extinction but still clucking around the media outlets of the UK pretending that the sky isn't falling and that things are nowhere near as bad as they actually are. It would be pathetic were it not so very important.
There's no point here in rehearsing again the basic facts of the huge data breach that TalkTalk suffered last week (but then chose, for many hours, to keep secret from the regulators and the four million of its subscribers that have been affected) because they have been plastered all over the world's media for days on end now. What is needed in the aftermath is for TalkTalk to come clean about what happened and come up with a strategy to ensure that everything possible will now be done to mitigate the chances of such an attack ever doing so much damage ever again.
It seems that TalkTalk was first hit with a sustained but diversionary DDoS attack, which in and of itself would not be the root cause of a loss of data. That was down to an SQL injection (where hackers get into database by entering instructions in a web form) that took place while the DDoS attack persisted. But an SQL injection it is a well-known and easily defended ploy and it is pretty evident that TalkTalk's security staff either didn't know one was was taking place (totally unacceptable in an ISP) or that the company had no defence against it (utterly unforgivable in an ISP).
TalkTalk: The place where the buck definitely doesn't stop with the CEO
And then there's the little matter of the company's CEO, the aforementioned Ms. Harding, not knowing how much of subscriber data was actually encrypted. That too is unforgivable but, as we have seen over recent years, the convention, that the buck stops with the boss and, if that person is found to be at fault, the right thing to do is for him or her to fall immediately on their sword before the board plunges a full set of executive daggers into the CEO's back, is now regarded as being as quaintly old-fashioned and irrelevant to today as the mediaeval code of chivalry.
Over the weekend some blog sites came to the aid of dodo Dido, pointing out that TalkTalk's erstwhile Chief Information Officer recently jumped ship to (irony of ironies) join the Police ICT company. Add to that the fact that many other IT staff have also voted with their feet over the past twelve months and one might be just able to discern amidst all the smoke and mirrors a possible reason for the parlous state of the company's encryption and security systems, policies and management. What's more, only two weeks ago TalkTalk was advertising for an Information Security Officer. If that's not both a message and a straw in the wind, I don't know what is.
It has also leaked out that TalkTalk has been continuing to use a certificate for 'accounts.talktalk.co.uk' that is authenticated with an SHA-1 signature. These are widely distrusted as being inherently insecure and the PCI Security Standards Council's basic protocol which is designed to provide a framework for secure payment card data requires the use of an SHA-2 certificate and signature. Those of you who use Google's Chrome browser will already know that it issues a warning flag whenever it discovers SHA-1 certificates on HTTPS sites. TalkTalk though soldiers merrily on with SHA-1.
Now, companies have to complete a PCI audit annually and it will be interesting, to say the least, to discover exactly what TalkTalk submitted in the past. The Office of the Information Commissioner is already on TalkTalk's case and should it be found to be at fault then it can levy a fine of up to £500,000 - but this is no more than a drop in the bucket to TalkTalk or other ISPs and so pressure is already growing to give extra power to regulators and allow the imposition of really heavy and meaningful penalties.
Ian Fleming wrote in the James Bond novel "Goldfinger": "First time, happenstance. Second time, coincidence, Third time, enemy action." Well TalkTalk has been successfully attacked three times this year so far. There was one in February, another in August and the latest was last week. You'd think the company would learn a lesson and act on potential enemy action, wouldn't you? But seemingly not.
For example Paul Moore, a consultant with the information security specialist Urity says the TalkTalk ignored warnings he issued last year about its lack of encryption. He says contacted Dido Harding's office about what he calls TalkTalk's 'cybersecurity vulnerabilities' but met with a response that was "aggressive, defensive and dismissive". In other words more or less exactly what worried and angry TalkTalk subscribers are getting now when they tell the company they want to leave because of the company's apparent inability to protect their data.
And the winner of the 2015 International Prize for Applied Hubris goes to ... TalkTalk"
Later this week, the new James Bond movie, "Spectre" gets its global premiere in London, just as it becomes evident that a spectre is haunting TalkTalk. There is much speculation about who was behind last week's attack and now it is being suggested that it might have been - at least partially - an inside job. Time will tell.
Meanwhile, Dido Harding, in an interview with the UK's Guardian newspaper that surely must take the 2015 International Prize for Applied Hubris, said that in regard to website security "We [that's the royal 'we', of course, for she is the corporeal and spiritual embodiment the company on earth and in sight of God] are head and shoulders better than some of our competitors." Can you believe such smug arrogance?
Meanwhile, Dr. Simon Moores, chairman of the International eCrime Congress that facilitates interaction between senior IT staff in law enforcement agencies and government bodies commented, "Everything we have seen suggests that TalkTalk historically may have failed to take reasonable steps and that the CEO appears completely out of touch with the risks that are widely described. For that at least she will have to answer to both her board and to her customers".
Dido Harding, who is married to a Conservative MP and is said to earn about £7 million a year, became CEO of TalkTalk in 2010. Last summer she was appointed as a director of the Bank of England. The silver lining here is that, thankfully, it's a non-executive post.
In an earlier incarnation the baroness was for a time the "convenience director' at the Sainsbury's supermarket chain. When she exits TalkTalk - as she surely must in due course - she might apply to have that job back. It comes with free mop, rubber gloves and a can of air freshener.