Another day, another over-sensationalised hack in the
media. These are now becoming so common that it’s almost no longer news; just 10
minutes of fame for the victim.
However the TalkTalk attack might be slightly different. What at first appeared to be just another run-of-the-mill data theft, it now transpires that Chief Exec Dido Harding had received ransom demands from
the hackers before the attack. To put this another way - Harding knew of a possible attack.
To me, this raises two questions:
1) This is not the
first TalkTalk breach. So, following previous attacks and despite warnings from security testers about apparent weaknesses,
why was their security not strengthened?
2) Why with an attack likely, can TalkTalk claim they don’t
know if their data was encrypted?
A persistent hacker will find a way
in. Achieving a 100% secure internet facing network is nigh on impossible. However, applying data
encryption is lesson one, day one, in security school. Today there is no excuse for not storing data using encrypted salted hashing, or transmitting data without AES-256 encryption as a minimum.
Have we not learned anything from all these preceding attacks? We only need to look back a few weeks to Ashley Maddison and their un-encrypted data. Instead of CEOs taking the helpless victim stance, it is time
that C-level execs took responsibility for a lack of the proper level of data
protection, especially customer personal identifiable data. Had the hackers stolen
major intellectual property rather than just customer data, then Harding might be under more pressure from
her board.
When organisations are aware of an impending attack and do
not take the most basic measures to secure data then it is time for business leaders
to stand up and face the repercussions for their lack of action. But instead the true victim
is the ever-trusting customer who is now faced with clearing up another corporate mess.
No comments:
Post a Comment