October 2015 saw one of the most high-profile corporate cyber-attacks ever, although this incident may be remembered as much for the ineptitude of the public relations that followed as for the breach itself.
Indeed several weeks after TalkTalk suffered one of the most significant hacks in recent memory, the company had still not offered its customers an explanation on how their data was compromised.
The attack saw sensitive information on more than one million customers put at risk. In response, the company offered an apology but explicitly refused to accept liability for its customers being victims of fraud as a result of its data loss.
THE CLEAR NEED FOR COMMUNICATION
UK businesses will draw many lessons from this unfortunate episode and, among them, will be the need for clear, credible communication in the immediate aftermath of an attack. In this case, the public statements made by TalkTalk appeared as ill-prepared as its online defences, and only time will tell what effect this may have on its long-term reputation and profitability.
Initially, following numerous reports of an outage, TalkTalk claimed that unspecified “technical issues” were to blame – there was no word on data compromises. Next, it told customers it had taken the site down temporarily, although behind the scenes it was informing police and stakeholders of an attack.
The first mention of a hack came more than 24 hours later, when a statement was released by the company admitting the recent issues had been the result of an attack. Only then were customers told their information could have been compromised. The statement admitted that the site was pulled down in an effort to protect customer data.
Despite admitting it had been hacked, it was a further week before TalkTalk opened up on what could have been stolen. In this announcement, it finally admitted that there was “a chance” that hackers had got their hands on “names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details.”
After being pressed by the media, TalkTalk began offering confused and contradictory statements. First it claimed that the loss came as a result of a Distributed Denial of Service (DDoS) attack. However, these kinds of attack are only able to bombard a network with traffic, thus taking it offline. DDoS alone cannot retrieve information. Additionally, this contradicts a previous announcement from TalkTalk, in which the company claimed to have taken the site down itself.
More likely is that a DDoS attack took place in order to allow hackers the chance to take another route in. Or, as Trend Micro’s Rik Ferguson explained: “a DDoS was used to light a metaphorical fire in the front yard while the thieves snuck in around the back.”
More than two weeks on, TalkTalk has still not told customers specifically what information of theirs was leaked. However, this could be because of the sheer volume of victims. With more than one in 60 Brits affected by the breach, TalkTalk may not yet know exactly who was hit, and what was taken.
The Company themselves are obviously not that happy about events either, as well the obvious knock of Customer Confidence, and a PR depts. nightmare come true, it has also had real tangible effects for instance there Share price dropped by some 11% wiping millions of their value, and a report this week estimated their loss at some £30 million.
What’s not clear is the detail of the attack, we can confidently speculate that DDoS was used and it’s not the first time it’s been used to mask the real attack, and if the conjecture that this real compromise was via an SQL injection attack, then it would seem that an obvious and well understood exploitable system was overlooked, suggesting yet again that the basic fundamentals of good Cyber security practises are being over looked.