11.The ICO has yet to produce a final verdict on the TalkTalk cyber-attack and data breaches. We await the outcome of the ICO investigation into the TalkTalk cyber-attack and data breach, and note the comment from the ICO that the time taken for the investigation is partly due to the international dimension to the investigation. We accept this, but regret that, some eight months after the breach, customers are no closer to a clear understanding of what happened. Although the Information Commissioner did not complain about lack of capacity, it seems evident that 30 enforcement staff are not enough to handle 1,000 cases and almost 200,000 public concerns a year, even if the vast majority of cases are found not to warrant detailed investigation. We suggest that the new Information Commissioner make an assessment of resources and priorities as soon as possible.
12.We note that an unusual feature of the TalkTalk cyber-attack was that the Board took a decision to go public within a day of the attack, knowing that it would take at least several days (in fact it took two weeks) to work out how many customers were affected. TalkTalk also commissioned PWC to review TalkTalk’s systems as part of their follow-up into the cyber-attack. Although final judgement as to how the breach occurred must await this report, we recognise the strong crisis management response by TalkTalk and the prompt response and leadership shown by Dido Harding. However, it is important that TalkTalk publish as much of the PWC investigation as commercially possible without delay, and set out how they will implement any necessary changes.
13.We received evidence from a number of individuals who had suffered financial losses after scam calls following the data breaches at third party suppliers to TalkTalk and also from individuals suffering from nuisance calls after third party data breaches. We did not receive any evidence of financial loss directly attributed to the cyber-attack itself. In oral evidence, Dido Harding underlined that TalkTalk had regularly written to customers in the 12 months preceding the cyber-attack informing them what information customer service agents would and would not seek if calling on behalf of the company. Following the cyber-attack, TalkTalk also contacted banks to monitor customer accounts and provided advice to consumer groups like Which? and Citizens Advice Bureau. Financial Fraud Action UK told us that
As fraudsters increasingly concentrate their attacks on customers, a major part of the response must be through awareness-raising about how customers can identify fraudulent approaches and protect themselves….FFA UK is calling for a landmark public awareness campaign to achieve a genuine step change in prevention.
14.We believe it is essential to increase customer awareness of on-line and telephone fraud and scams, but consumers also have a responsibility to protect themselves on line. There needs to be a step change in consumer awareness of on-line and telephone scams. The Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing. All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms. The Information Commissioner should check that data controllers have put easy-to-use verification guidance and measures in place. We think that these recommendations should apply not only to the telecommunications sector but also more widely to all who hold customer personal data.
15.The inquiry also considered how the TalkTalk Board members took responsibility for cyber security and data breaches. During oral evidence, Dido Harding confirmed that she saw herself as “accountable and responsible” for security within the company, and in further probing, she elaborated that
line responsibility for keeping our customers’ data safe is split across a number of teams, so the accountability for security policies, the accountability for security audit, the accountability for security best practice, knowledge and dissemination within the organisation sits with the security function. The implementation of systems and processes that comply with those policies sits with my technology function. The implementation of the human elements of security—safe passwords, usage, complying with call centre policies—sits within my operations function. So it is impossible in a telecoms company to say that security only sits with the director of security.
16.Although ultimate responsibility for cyber security within a company lies with the CEO, it would be highly unusual for the CEO of a company to have to resign over an attack, and it is important that this is not used as a means to diffuse or avoid responsibility elsewhere. The day to day responsibility in any company should therefore be clearly allocated to a specific person, for example, the Chief Information Officer or the Head of Security. It is appropriate for the CEO to lead a crisis response, should a major attack arise. But cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack. To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.
17.We were keen to understand the level of technical sophistication behind the TalkTalk cyber-attack. Some commentators suggested that the cyber-attack was a product of SQL (Structured Query Language) attack. We note that there had already been three occasions when the ICO had issued a fine following an SQL attack (the largest of which was £200,000) and these cases should have served as a warning to others, including TalkTalk. According to written evidence from Infosec, SQL susceptibility is “one of the most prevalent vulnerabilities in web applications.” JISC (the higher education not-for-profit organisation for digital services and solutions) told us that
the vulnerabilities such as SQL injection most often exploited to create this kind of breach of customer data are not limited to telecoms and Internet service providers. Any organisation participating in e-commerce, in any industry, should be taking appropriate and continuing measures to ensure their systems are not vulnerable to similar attacks.
18.It is no longer a defence, for a company using an e-commerce platform, to say that it was not aware of the risk of SQL injection based attacks, or similarly established and in some cases routine forms of cyber-penetration. The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine. We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.
19.Given the prevalence of cyber-attacks, it is important that companies and entities do not just focus their efforts on trying to prevent such attacks, but they also prepare themselves for the eventuality. As Symantec said in written evidence,
despite increased levels of investment, organisations should still expect to be attacked and sometimes breached, and they should be prepared to respond.
The Institute of Chartered Accountants in England and Wales concurred, arguing that business needed to see security breaches as an inevitable part of being in the digital economy today.
20.Although TalkTalk had run various business continuity exercises, including potential risks like cyber-breaches, TalkTalk had not exercised and planned on how to handle a cyber-attack on this scale. In the 2016 Cyber Breach Survey for DCMS, it was striking that only 29% of companies had formal written cyber-security policies, and on average 10% of companies surveyed had a cyber-incident management plan, although 42% of large companies did have one. Other submissions stressed the importance of “scenario-exercising to build organisational and national resilience” and BT saw testing and monitoring as an “essential part” of doing business in the digital economy. In written evidence, TechUK emphasised the importance of managing communications with customers, pointing out that an email after a breach can give cyber-criminals “an opportunity to spoof the affected company and dupe customers.” In major organisations, where the risks of attack are significant, the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.
21.We note the announcement by TalkTalk in March 2016, that it would introduce voice biometric passwords for customers to access their accounts, the first UK Internet Service Provider (ISP) to do so. We await the impact of this change with interest.
17 ICO oral evidence Q151
18 Dido Harding oral evidence Q104
21 Dido Harding oral evidence Q22
22 Talk Talk supplementary evidence
24 Dido Harding oral evidence Q1
25 Dido Harding oral evidence Q9
26 A SQL attack is a code injection technique which exploits a security vulnerability.
27 ICO oral evidence Q170
32 Dido Harding oral evidence Q75-76
33 Dr Mils Hills
17 June 2016