We have all read about the data breach that took place in October last year concerning telecommunications company TalkTalk. The total number of customers affected by the attack last year was 156,959 and it also came to light that 15,656 of these accounts, which detailed bank account numbers and sort codes, were hacked.
In June of this year, the technical team from the Information Commissioner’s Office began their investigations and discovered that, despite the breach, TalkTalk had failed to remove the webpages that enabled the hackers to access the customer data. According to the ICO’s report, the database used to hold customer data contained a bug for which a fix had been made (three and a half years ago), but was never applied. Overall, the attack was determined as a SQL injection attack.
This month, the ICO fined TalkTalk £400,000 as a result of “security failings that allowed a cyber attacker to access customer data with ease”. This has been the largest fine that the ICO has imposed.
The ICO’s investigation concluded that if TalkTalk had the appropriate cyber security measures in place, the breach could have been prevented. Elizabeth Denham, Information Commissioner, noted that TalkTalk’s failure to implement these measures is what allowed the hack to happen. She also commented:
“Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Furthermore, Miss Denham stated, the TalkTalk breach quite simply is “not an IT issue” but “a boardroom issue”. Ultimately, incidents like this call for the need to implement a staff awareness program to change an organisation’s compliance culture. What we can learn from the TalkTalk breach is that proper security measures need to be implemented and regularly reviewed. Failure to keep personal information safe is a breach of the Data Protection Act and is a costly lesson to learn.
There is no doubt about it: changing the way people think and act is difficult. Adjustments are hard regardless, but the habits that have been developed – they are hard to shake and even harder to improve. Razia Begum, of Taylor Vinters law firm, notes that organisations need to take a proactive, rather than reactive, stance to cyber security.
Here at MetaCompliance, we value the need and the importance of cyber security. Additionally, we know that staff awareness is vital in how a company can protect themselves against cyber threats. Therefore, we have created a methodology called “Generating Change through People” to help organisations start, or reawaken, their awareness programs.
You can also avail of our Cyber Security and Compliance eLearning modules which are designed to deliver engaging and innovative messages to staff. This will, not only create a change in your company’s compliance culture, but will also help your staff to build on their knowledge and develop best practices.
Contact us today about our Staff Awareness Services and eLearning modules and help your organisation start their journey to mitigating risk and cyber threats.