The title for this article may be a little bemusing.
The chickens have come home to roost refers to a 700-year-old expression, recently brought back to life in Martin Scorsese’s The Wolf of Wall Street.
It effectively means that the bad deeds, misguided actions or inaction committed in a lifetime will resurface at some point, just like chickens coming home to roost. It is an inevitability.
In the context of TalkTalk this expression represents the £400,000 fine it has just incurred for its poor website security management.
The breach happened last October and resulted in the theft of nearly 157,000 customers’ personal data.
In the attack nearly 16,000 bank account details were seized upon by the attacker/s.
The Information Commissioner’s Office (ICO), which imposed the fine released in a report that the hack could have been easily avoided.
The database software – acquired from Tiscali in an acquisition with TalkTalk in 2009 – was outdated.
The attacker exposed this and gained access through 3 vulnerable webpages within this inherited infrastructure using using a well known hacking technique called SQL injection. The bug allowed the attacker to bypass access restrictions
TalkTalk failed to scan this infrastructure and was unaware of the problem. However, since it came to light they have been completely open with the ICO, which is why the organisation is “disappointed” with the size of the fine.
“The TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves.”
The ICO, however, said security was bypassed with too little resistance, and Elizabeth Denham, the Information Commissioner said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
“TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action,” she added.
Despite the record fine, the implications could have been much more severe – especially in a post-GDPR world.
“This is a very small fine compared to what will be possible once the GDPR comes in. An information commissioner could have fined TalkTalk up to £40m given that their global turnover was estimated at close to £1 billion. The cost of not doing security properly will increase substantially,” said John Madelin, CEO at RelianceACSN.
The release of the extent of the fine – and how bad it could have been – should be a further wake up call to businesses preparing for GDPR. Efforts must be doubled.
“Once a company has a clear picture of the critical data needing protection, they should ensure that they have properly integrated layers of security – rather than a collection of disparate tools. These layers must be supported by the right processes and a proactive stance to threat hunting,” continued Madelin.
The chickens have come home to roost for TalkTalk, but it could have been a lot worse.