The Information Commissioner has fined TalkTalk £400,000 because its “failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease”, as reported by the ICO.
The ICO’s investigation revealed that the attack “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.”
A study of the attack
Attackers accessed a database that contained 156,959 customers’ information (names, addresses, birth dates, phone numbers and email addresses) via three unsecure webpages that TalkTalk inherited when it acquired Tiscali’s UK operations. And here begins the chain of events that led to the data breach:
- After the acquisition, TalkTalk didn’t properly scan the infrastructure for vulnerabilities, failing to discover the existence of these three unsecure pages.
- TalkTalk didn’t know that the database software was outdated and no longer supported by the provider. It also didn’t know the software was bugged, and that a patch had been released three-and-a-half years before the attack. The bug allowed cyber attackers to bypass access restrictions and access data.
- In July and September 2015, the company was attacked twice by cyber criminals using a very basic technique: SQL injection. This is the same technique they later used to exploit the three vulnerable pages. TalkTalk claimed not to be aware of these intrusions.
Failure to implement the most basic cyber security measures
Elizabeth Denham, the Information Commissioner, highlighted “TalkTalk’s failure to implement the most basic cyber security measures”. What are considered to be “basic cyber security measures”? According to Cyber Essentials, the UK Government certification scheme that provides a framework for basic cyber security, five basic security measures are:
- Secure configuration of networks and devices;
- Boundary firewalls and Internet gateways;
- Access controls and administrative privilege management;
- Patch management;
- Malware protection.
By implementing these five controls, companies can prevent around 80% of basic Internet-based attacks.
Website testing and vulnerability scanning is another important part of any security strategy that cannot be forgotten. CREST-accredited certification bodies like IT Governance perform an additional external vulnerability scan of the Internet-facing networks and applications to verify that there are no vulnerabilities present. The scan is included in the certification cost.
CyberComply, the unique online portal
IT Governance was the first certification body to implement an online service – CyberComply – that enables companies to apply for Cyber Essentials certification at their own pace. Companies can use the portal to control the progress of their certification, and to look for guidance and expert help.