The TalkTalk hack can’t be shrugged off

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.equities.com/index.php?option=com_k2&view=newsdetail&id=469709


The political theorist David Runciman draws a useful distinction between
scandals and crises. Scandals happen all the time in society; they create a
good deal of noise and heat, but in the end nothing much happens. Things go
back to normal. Crises, on the other hand, do eventually lead to structural
change, and in that sense play an important role in democracies.

So a good question to ask whenever something bad happens is whether it
heralds a scandal or a crisis. When the phone-hacking story eventually
broke, for example, many people (me included) thought that it represented a
crisis. Now, several years – and a judicial enquiry – later, nothing much
seems to have changed. Sure, there was a lot of sound and fury, but it
signified little. The tabloids are still doing their disgraceful thing, and
Rebekah Brooks is back in the saddle. So it was just a scandal, after all.

When the TalkTalk hacking story broke and I heard the company’s chief
executive say in a live radio interview that she couldn’t say whether the
customer data that had allegedly been stolen had been stored in encrypted
form, the Runciman question sprang immediately to mind. That the boss of a
communications firm should be so ignorant about something so central to her
business certainly sounded like a scandal.

To appreciate that, just put it in a non-electronic context. Imagine a
chemicals company that, as part of its operations, needs to process
hazardous, carcinogenic materials, and therefore has to store them on site.
Now imagine that some unscrupulous guy siphons off large quantities of the
hazardous gunk and when this crime is revealed by the company, the boss is
unable to tell reporters whether the tank containing the hazardous material
was locked, or even covered.

If TalkTalk had been a chemicals producer and toxic chemicals had been
stolen, the public outrage would be palpable. But because it’s a
communications company, the response is just a resigned shrug. It’s just
personal data, theft of which goes on every week: just think of the
infidelity site Ashley Madison and the US health insurer Anthem. Stuff
happens, move on.

The trouble is that personal data in the wrong hands is a very hazardous
substance indeed. It’s the raw material that fuels a vast global industry,
which uses it for phishing, pharming, malware distribution, hacking of
corporate databases, extortion and blackmail. The industry is supported by
an elaborate infrastructure of virus writers and specialist hackers who
hire out networks of “botnets” (thousands of compromised computers) to
carry out automated attacks.

Added to this are elaborate networks of online exchanges in which stolen
credit card details and other personal data are freely bought and sold,
much as Beanie Babies are traded on eBay. The going rate for a stolen
credit card, for example, is between 50p and £1, but bank account details
or social security numbers often go for 10 times that. On some of these
exchanges there are even ratings systems in which crooks rate one another
for trustworthiness!

This is a far cry from the public impression of hacking as an activity
practised by teenage boys in suburban bedrooms – a fantasy reinforced,
incidentally, by the much-publicised arrests of a number of teenagers after
the TalkTalk exploit. Most cybercrime now is the work of highly organised
criminal groups who do it because it is so profitable and carries so little
risk of detection, conviction or arrest.

So companies like TalkTalk are up against professional criminals. They
therefore need to up their amateurish game. If a company’s business
requires it to store customers’ sensitive information, then data security
has to be a board-level responsibility, up there with health and safety and
regulatory compliance. It is not just a matter for techies and boffins. And
there have to be serious criminal and civil penalties for carelessness,
complacency or incompetence.

Since there is no such thing as a completely secure online network, there
will always be breaches. Cyber security is hard. What we are entitled to
expect, though, is that organisations that hold our data take their
responsibilities seriously and use state-of-the-art protection measures
that are regularly reviewed and updated as attack techniques evolve. We
need legislation to compel them to promptly reveal data breaches to
customers, the police and industry regulators. And senior executives who
fail in their duty of data care should be treated the same way as company
directors who fail in their fiduciary duties. In the last analysis, they
should go to jail.

None of this is rocket science. It’s really just common sense. We have an
opportunity to turn the TalkTalk scandal into a crisis. Let’s take it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!