More Talk, Less Practical Advice: UK Government Recommendations Resulting from TalkTalk Breach
In late 2015, TalkTalk Telecom Group, a telecommunications provider in the United Kingdom, suffered a breach. The breach exposed the details of over 150,000 customers, including more than 15,000 bank account details and 28,000 credit card numbers. The breach cost TalkTalk 42 million British Pounds, cutting the company’s profits for the year in half, and resulted in the loss of more than 95,000 customers.
The breach was so significant that the British Government opened up an inquiry into the protection of personal data online.
After eight months, the initial conclusions and recommendations have been released. The following are some highlights:
- The report focuses heavily on the role of victims, not only TalkTalk and other enterprises but also consumers. For example, the primary recommendation is to increase customer awareness of online and telephone scams, recommending that the government initiate a public awareness-raising campaign similar to that for smoke alarm testing.
- It addresses the role of board members, and particularly the CEO in the case of a breach, recommending that “a portion of CEO compensation be linked to effective cyber security.”
- It talks about escalating fines “based on the lack of attention to threats and vulnerabilities, which have led to previous breaches.” At one point, it recommends that the EU General Data Protection Regulation (GDPR) increase the fines to €20 million from the current £500,000!
- It also recommends calling into force “Sections 77 and 78 of the Criminal Justice and Immigration Act of 2008” to punish those “obtaining and selling personal data.”
- It also recommends creating a “privacy seal” which would “be awarded to entities which demonstrate good privacy practice and high data protection compliance standards.”
Sadly, as is all too often the case with these types of inquiries, these recommendations provide very little practical advice on how to prevent the theft in the first place. It focuses more on how to help people avoid becoming the victim of a crime, and less on how to prevent the crime from taking place.
Protecting consumer data is an endless task for enterprises, which requires the constant adoption of new technologies in the face of new threats. In particular, enterprises have been slow in adopting data-centric protection measures while over investing in old school endpoint and perimeter security. Enterprises are still dragging their feet with deploying technologies that could mitigate existing and imminent threats like SQL injection although these technologies are readily available (e.g. Web Application Firewalls). So clearly there is room for improvement on the enterprise side, and some incentive in the form of stricter (enforceable) regulation is good. However, the report does not address the crux of the matter—which is reducing cyber-crime.
The inquiry repeatedly mentions that the ICO investigation is not over yet – eight months after the incident. Though there’s no word on the criminal investigation into who stole this information, why, and how they succeeded.
Finally, if this incident directly affecting UK businesses and consumers were critical enough to invoke investigative committee for the Parliament, why is it not getting the same attention from a law enforcement perspective?
While organizations can and should do more to protect consumer data, they cannot be left alone to fight cyber-crime. A strategy that involves both prevention and prosecution are essential to reducing these events in the future. Moreover, it seems like those are the two points that are glaringly missing from this report.