TalkTalk Took a Big Bath Over Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/talktalk-took-big-bath-over-breach-p-2058

Here's more evidence how a data breach can have a major financial impact.
U.K. telecommunications giant TalkTalk announced last week that its October
2015 breach will likely cost it up to £65 million ($94 million) and has led
to the loss of 95,000 customers. That assessment was delivered as part of
the company's third quarter financial report, which cover the period from
Oct. 1 to Dec. 31 of last year.

The company says it lost an estimated £20 million ($29 million) in revenue
while its site was down because new customers couldn't sign up for many
types of services. Plus, TalkTalk literally resorted to paying existing
customers not to leave by offering free upgrades, after it took flak for
controversially stating that no customers would be legally permitted to
break their existing contracts - for example for mobile phone subscriptions
- without paying a penalty, unless they could prove that they had suffered
financial damage as a result of the hack. Privacy experts said that proving
such damage would likely be impossible.

"TalkTalk literally resorted to paying existing customers not to leave."

But paying customers to stay didn't come cheap. TalkTalk estimates that the
free upgrades, plus the breach remediation itself, cost £40 million to £45
million ($58 million to $65 million). That includes "the exceptional costs
of restoring our online capability with enhanced security features,
associated IT, incident response and consultancy costs, and free upgrades,"
TalkTalk says.

To recap, the company says the breach resulted in 157,000 individuals'
personal information being accessed by attackers, including 16,000 bank
accounts and related sort codes, plus 28,000 tokenized credit card numbers.
British police, as part of their investigation into the hack attack and a
related ransom demand, have arrested five suspects, four of whom are
teenagers (see TalkTalk Lesson: Prepare for Breaches).

Advanced "Sequential Attack"

When it came to responding to the breach, TalkTalk initially moved slowly.
CEO Diana Mary "Dido" Harding initially said attackers had wielded a
"sequential attack" against her company, by which she appeared to mean a
SQL injection attack. Many security experts say injection vulnerabilities
are easy to spot and eradicate, provided businesses take the time and
effort to do so.

Despite Harding's apparent discomfort in front of the camera, however, she
wasn't reluctant to issue mea culpas in media interviews - and via YouTube
- over the fact that her company had suffered its third data breach in just
12 months.

The head of the publicly traded company is now attempting to spin its $94
million breach bill as having been not that bad, and portraying the 14
percent of customers who snapped up freebies as being a strong response.
"It is encouraging to see the business returning to normal after a
challenging quarter that was dominated by the cyberattack," Harding says in
a statement. "Our customers have responded well, with almost half a million
customers choosing to take up our unconditional offer of a free upgrade."

Embarrassing Security Failures

Another surprising - if belated - result of the breach investigation has
been the discovery of an apparent scam attack against the company's
customers. TalkTalk says in a Jan. 27 blog post that its breach
incident-response team uncovered evidence that three employees at
India-based Wipro, which provides call center services to TalkTalk, had
stolen customers' data and were tied to attempted telephone scam campaigns
targeting the telco's customers.

"Acting on information supplied by TalkTalk, the local police [in Kolkata]
have arrested three individuals who have breached our policies and the
terms of our contract with Wipro," TalkTalk says. "We are also reviewing
our relationship with Wipro."

What remains unclear, however, is how many customers will drop TalkTalk
once they can leave without paying a financial penalty.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.