Police discouraged TalkTalk from going public with breach
Tue 5 Jun 2018
The Met Police initially discouraged TalkTalk from going public with information on its data breach in 2015, the company’s former CEO has revealed.
The telco’s huge data breach, which revealed 156,959 customers’ personal information and 15,656 banking details and led to a £400,000 fine, was “consciously” publicised by the company, according to Baroness Dido Harding, who was CEO at the time.
This was in order to protect customers by providing them with as much information as possible, she said. The company wanted to do this as quickly as possible in order to get the information out there and prevent fraud.
TalkTalk’s 2015 data breach
Speaking at Infosecurity Europe in London, Harding said: “Being armed with somebody’s bank account details doesn’t make it particularly easy to steal from them. Phoning somebody up pretending to be from TalkTalk, with their account details, makes it easy extremely easy to scam someone. So, the judgement we made as a business, 24 hours after we’d been attacked, was that the best way we could protect our customers was by warning them.
“A lot of our customers were elderly and perhaps less tech-savvy, so we went through broadcast media as well. We consciously made the decision to go out there with both old-fashioned and modern social media to reach our customers.
“Lots of people didn’t want us to do that. We found out Wednesday lunchtime, and on Thursday lunchtime we’d decided to go public with it. The Metropolitan Police strongly advised us that they would like us to give a few more days to catch the bad guys. We spent the afternoon discussing with, amongst others, the head of the Met’s hostage negotiation team.
“Eventually I said ‘if you can promise me that there is at least a chance, a meaningful chance, that we can have this data back, without ever having to tell anybody, then we can have this conversation.'” Obviously, this wasn’t the case, and therefore the decision was made to get the information out.
Harding said that ultimately, the Met “couldn’t have been more supportive.” The point that she was illustrating in her talk was that it is crucial to get information in the open as soon as possible so that customers can protect themselves.
At the time, Harding came under significant criticism, in part for the slow release of the information. She admitted that releasing details of the breach this late was a mistake, though noted the long conversation that was had with the Met Police.
The company, and in particular Harding, also came under fire for describing the incident as a DDoS attack, which would not have led to data loss on its own, admitting uncertainty on whether or not the data was encrypted, and telling reporters that there had been a ‘sequential attack’, a mislabelling of SQL injection. Harding is now chair of NHS Improvement.