Cyber attacks unfold in stages: there is the breach itself, the discovery of the attacker, the media fall-out, the attempts to rebuild.
Few companies have lived out this process in such a public way as TalkTalk.
Early reports by Kantar WorldPanel suggested that after disclosing an attack on its systems, resulting in the personal details of 156,959 customers being accessed, the telco had seen its share of new customers falling 4.4 percent in the months following the attack and 7 percent of its broadband base turned to different providers.
More empirical evidence of how the attack affected TalkTalk’s fundamentals and its standing with customers will arrive when the company’s full-year results are released on 12 May.
There is little precedent for assessing how a cyber attack affects a brand reputation. Ashley Madison, the website for extramarital affairs, saw a reported 87,596 female users joining the site in weeks following the hack.
But what were the long-term results within TalkTalk itself, and the long-term effects on its executives? What has TalkTalk learned from the attack?
“There is always a silver lining in these issues,” Charles Bligh, MD of TalkTalk Business, Technology and Security, tells CBR about the attack.
Content from our partners
Bligh says that more details about the aftermath of the attack will be revealed at the time of the results. However, he says that the company is very much “drawing a line in the sand on the cyber incident.”
“Things have settled down very quickly, customers and the company are past the incident,” says Bligh.
There were no major casualties from the attack. Most notably, CEO Dido Harding is still in place, and in October told the Telegraph that she retained the support of the whole TalkTalk board. This included chairman, founder and biggest shareholder, Sir Charles Dunstone.
Bligh, the board member who heads up the company’s security team, echoes Harding when he defends the level of importance that TalkTalk already placed on cyber security at the time of the attack.
“Remember we were attacked: it wasn’t that we left something lying around in the back of a taxi,” says Bligh. “This was an attack on the company.”
In her hearing with the Culture, Media and Sport Committee, Harding accepted that “of course [she] would” have done more on cybersecurity if she had the time again.
However, she said that cybersecurity was an item at every board meeting and that the board had detailed in-depth sessions three times in the course of the last nine months.
Bligh tells CBR that the importance has “gone up a level in terms of the discussion.”
However, he highlights the subtle transformation that the company has gone through, though, from cyber security being an item on the board meeting to being a “lens” through which all decisions are viewed.
“I don’t think there is one aspect of the business that is not now security-led,” says Bligh.
TalkTalk has taken some concrete, measurable steps: the company is “substantially” increasing its investment into cyber security, according to Bligh.
“There are substantial improvements in monitoring, security, prevention as well as hardening our assets in our company,” Bligh says, avoiding specifics as these might make the measures less effective.
More subtle are the cultural changes, which Bligh says every company will have to undergo at some point.
What stands out to Bligh is the language that is being used to discuss security in the company.
“What I found during the event and subsequently afterwards was that there was a big education we needed to go through so we were all talking about the same thing,” says Bligh.
“A great example is board members asking if we are safe. As soon as you get that question you know you have not been through an education process. It’s not the right question.
The question and the answer, Bligh says, are much more nuanced than a yes or no or thirty-second response.
“The correct question is can you describe the levels of security and the defences we have, and what is our risk profile.”
In the long-term though, this establishment of a consistent language for discussing cyber security throughout the organisation has been productive for the company and has improved its decision-making process.
“That actually was the thing that unblocked making lots of really swift decisions on lots of items.
We are much quicker at making decisions around security.”
TalkTalk has been sharing its learnings with other companies, whom Bligh says are concerned that something similar has happened or will happen to them in the future.
Companies considering how to respond to cyber attacks now or in the future could do a lot worse than looking at the companies who have publicly gone on this journey. TalkTalk’s results next week will shed more light on where it leads.
TalkTalk hack Timeline:
– 21 October: The hack takes place. A Distributed Denial of Service attack is used as cover as hackers exploit a vulnerability in the site and customer details are stolen.
– 23 October: TalkTalk announces the hack in a post on its website. It is believed that as many as 4 million customer accounts may have been affected. CEO Dido Harding confirms on the same day that the company received a ransom note from a group claiming responsibility for the breach. The Metropolitan Police launches an investigation into the attack.
– 26 October: TalkTalk customers claim to have been affected by the data breach before the data and time given by the company. Pensioner Judy Gunning, interviewed in the Mirror and Telegraph claimed to have lost £15,000 after being contacted on 10 September.
– 27 October: First suspect arrested in connection with the hack, a fifteen-year-old boy, under the Computer Misuse Act.
– 30 October: Another suspect arrested.
– 6 November: TalkTalk reveals that only 4 percent of customers’ data was accessed in the hack. This meant that 156,959 customers had their personal details accessed. TalkTalk also said that the credit and debit card numbers that were accessed were obscured.
– 11 November: Harding reveals estimates of a one-off cost to the company of between £30 million and £35 million.
– 25 November: A further arrest is made.
– 15 December: Harding gives evidence to the Culture, Media and Sport select committee to defend her company’s record on cybersecurity.
