Over the weekend we had some research published in the Telegraph on the failures of TalkTalk’s remediation website.
The URL: www.talktalk.co.uk/secure was the address that Dido Harding, TalkTalk’s CEO, directed her customers to use after the data breach in October. The breach led to the personal details (bank account numbers, credit card details et al.) of 157,000 customers being stolen.
TalkTalk’s response to the hacking was a masterclass in failing at crisis PR (crisis PR that responds to data breaches, will, I hope, become a growth area), with some people pointing the finger at Russian Islamist ‘cyber jihadis’. As it turns out it was the work of teenage boys from all over the UK, perhaps taking too much inspiration from Mr. Robot.
As TalkTalk moved to remediation their CEO claimed that the company was working with ‘leading cyber crime specialists’ and publicising the services of talktalk.co.uk/secure to aid customers concerned about whether their data was accessed.
One of our researchers chose to take a look at the remediation website and within minutes realised that in spite of working with ‘leading cyber crime specialists’ the talktalk.co.uk/secure site was a mess.
The vulnerabilities gave anyone with access to a customer’s internet connection and a minimal amount of technical skill to intercept communications, direct victims to malicious websites (such as a fraudulent credit reporting service), or snoop on sensitive data.
TalkTalk highlights the question of whether the Government ought to introduce penalties for data breaches and the future of corporate liability.