TalkTalk have announced that their profits halved following the cyber attack on the company in October 2015. Profits fell to £14m down from £32m the year before. The fall is attributed in part to the costs from the cyber attack by a number of hactivists in the UK (six arrests have been made – all individuals are under 21).
TalkTalk lost 101,000 subscribers in the quarter immediately following the attack where the personal data of around 160,000 was compromised. This included email addresses, names and phone numbers, plus 21,000 unique 21,000 unique bank account numbers and sort codes.
TalkTalk’s immediate response was to play hardball with any customer trying to leave – quoting contract terms and penalty fees should they go. Nowhere in their response was an identification of their responsibility for safeguarding customer data – and the onus fell to the customer to prove that any loss of future money was solely due to the hack. So, for example, if a customer was spear-phished through social engineering as a result of the compromised personal data, that would be the customer’s fault.
If there was an Incident Response Plan (they had suffered previous breaches in the preceding year), then there’s little to show any learning outcomes to date.
Despite this, TalkTalk CEO Dido Harding maintains today that the company has recovered and that the customer churn experienced in the first quarter following the attack has since stemmed, indicating in her eyes, customer satisfaction.
Total revenues are reported to have grown 2.4% to £1.83 billion in the 12 months to 31st March 2016. However, no matter how upbeat the CEO talks up the positives in May 2016, their PR mishandlings, lack of probity and lack of knowledge, indicates a disrespect of the customer, who (along with their data) should be and feel cared for, at all times.
So we’ll need to wait and see over the next 12 months what the figures and customer base numbers reveal. However, one thing that is certain, the company’s failure to manage and protect their customer’s data with due diligence and probity has led to a very public sullying of the brand and ridicule in some boardroom circles.
The TalkTalk debacle should go into the lexicon for all future Board directors as a lesson in how not to do Disaster. For any Board today, at least one member must understand and be accountable for cyber so that the appropriate reviews, decisions, IT investments and staff education are undertaken. This means:
1. Understanding cyber and identifying what your data crown jewels are
2. Ensuring your company has up to date security policies and practised procedures following ISO27001 compliance procedures
3. Interrogating your company’s infrastructure interrogated regularly for vulnerabilities and plugging any gaps
4. Working with data security specialists to monitor any devices, any infrastructure, any locations where your business or staff operate to ensure you maintain end point security at all times.
Amicus ITS has a Security as a Service offering, called Foxcatcher. If you wish to speak to one of our team to discuss your organisation’s security. Call us on 02380 429429.