Yet another cybersecurity breach has reached international news. This time, the victim is Talk Talk, a telecommunications, internet access and mobile network services company in the UK. The company has since faced extensive media scrutiny after announcing on Thursday that over 4 million of their customers had their credit card and bank details stolen during a “ significant and sustained cyber attack”.
Talk Talk began investigating the breach on October 21, but did not publically acknowledge the hack until two days later. The attack is the company’s third major security breach in the past year. In December 2014 and February 2015, many customers received India-based scam calls after their contact details were leaked to hackers.
How Did It Happen?
The Cybersecurity Division of Scotland Yard is still trying to piece together the exact events that occurred. We do know that alarm bells were first sounded last Wednesday morning, when customers were experiencing problems accessing their online accounts. After realizing that they may have been victims of a breach, Talk Talk hastily shut down their systems to investigate.
It is currently assumed that the attack was likely the result of a DDoS attack (Distributed Denial of Service). A popular tactic for many hackers, the attackers flood websites with an overload of activity, distracting those controlling the website so that a secondary hack can take place under the radar. Rik Ferguson, president of security company, Trend Micro, aptly described DDoS attacks as “setting fire to the front yard, (so that attackers) can come in through the back door.”. Although companies have been warned countless times of the risks of DDoS, many are still unable to determine when they are caught inside a ‘smoke screen’ attack.
“Who Done It?”
As the story behind the breach begins to unfold, it seems that attackers may be even more malicious than previously thought. Adding insult to already serious injury, Talk Talk has revealed that they also received ransom demands from the alleged attackers. When speaking to the BBC on Friday, Talk Talk Chief Executive, Dido Harding said the company has been “contacted by someone – either working as an individual or in a group – purporting to the be the hacker”
A Pastebin post titled “Message From TalkTalk Hackers” surfaced on October 22 where a Russian-based team of Islamic Extremists claimed responsibility for the attack, but whether this is in fact true is yet to be confirmed. Either way, it seems clear from the extent of the breach that the attack had been planned for some time, most likely by an organized group rather than an individual.
The Reality of Hacking
Unfortunately, the Talk Talk breach is just another event in a string of cyber attacks in the UK that have occurred over the last 12 -18 months. The huge JP Morgan breach in 2014, which compromised 76 million households and seven million small business accounts, was meant to have been a ‘wake up call’ for many large companies, but it seems that the warning signs have been ignored.
In Talk Talk’s case, if the company would have invested in the right tools to prevent these kind of breaches, they would have:
- Not been hacked in the first place. It’s well known that hackers aim for the easier targets.
- Not had to deal with the repercussions of a huge plummet in their share pricing.
- Drastically reduced the churn of their customers leaving to more secured operators.
- Saved their brand.
Crisis Averted with Cyberint
When it comes to prevention, had Talk Talk been using Cyberint’s security solutions, they would have saved themselves from this disaster. CyberInt’s solutions provide protection beyond the perimeter, examining threats which have not yet materialized and identifying breaches in their very early stages. This is done by automating the process of intelligence collection on the Dark Web and other places where hackers plan their attacks, acquire the tools and ‘sell off’ the stolen data.
Additionally, CyberInt has the world’s first Cyber Readiness Suite which allows organizations to automatically orchestrate complex attack scenarios on the organization on an ongoing basis. This allows cybersecurity leaders to make a knowledgeable decision based on facts, not assumptions. Like in Talk Talk’s case, a complex attack scenario often includes a DDoS attack as a decoy, while a full APT attack would surgically target the right person/group within the organizations.
True cybersecurity is all about investing in protection in the right places in order to make sure that your company is a hard target for attackers to penetrate. With our Cyber Readiness Suite, Talk Talk would have been able to achieve exactly that.
Facing The Legal Consequences
The Talk Talk attack also raises a much larger and more complex can of worms. Experts predict that Talk Talk will face an investigation by the the Information Commissioner’s Office where the company is likely to be questioned on what steps it has taken to comply with PCI/DSS regulations. Based on the outcomes, the ICO can impose penalties of up to £500,000 – a hefty sum, but only small fraction of the amount that can be imposed in the US. For example, US Telecom giant AT&T was forced to pay over £17 million for data breaches in its call centers in Mexico, Columbia and the Philippines. Compared to their equivalent in the US, Talk Talk will be walking away from the breach almost scot free.
With the US currently re-examining their cybersecurity laws through the CISA Bill, the events of last week have reminded UK politicians on both sides of the table that their cyber laws are in need of a serious overhaul. Former home office minister Hazel Blears described the TalkTalk data breach as “a wake-up call” that should prompt a debate about whether further regulation is needed, suggesting cybercrime is “probably the biggest threat to our economy”. Labour shadow cabinet minister Chi Onwurah has called for “a code of practice to encourage companies to take greater responsibility for data loss.” Other MPs have suggested the need for government to appoint a cabinet minister with clear and sole responsibility for cybersecurity.
Without question, the UK and the EU need to catch up to the US when it comes to clamping down on cybersecurity. Companies are more likely to think twice about how they treat their clients’ data when the repercussions for a breach are greater. In the meantime, companies should not need more examples to see that they need to be more proactive about using real-time intelligence.
Having the appropriate safeguards in place to mitigate attacks at the right place and at the right time is the only way to ensure that your company remains safe. As the capabilities and intelligence of hackers grow, and the tools to initiate a targeted breach become more widely available, one wonders what it will take for companies like Talk Talk to take cybersecurity seriously.