Boss of hacked talktalk warns of cyber security ‘arms race’

26 Oct 2015 | Author: | No comments yet »

‘Every company vulnerable to TalkTalk style hacking attack under Snooper’s Charter’.

British broadband provider TalkTalk said yesterday it had hired defence company BAE Systems to investigate a cyberattack that may have led to the theft of personal data from its more than 4 million customers.Every day, websites of British banks, utility companies and other businesses are under attack from groups in Russia, the Middle East and China, as well as anti-capitalist ‘hacktivists’.The provider of inexpensive broadband packages has less than one-twentieth the revenue of Vodafone Group Plc, little of the globe-spanning telecommunications backbone of a company like BT Group Plc, and certainly none of the temptingly vast financial flows of a big bank like Barclays Plc.

The telecoms firm revealed the data hack that put up to four million current and former customers’ details at risk may not be as bad as first feared.Every company is vulnerable to a hacking attack like the one suffered by TalkTalk, it was claimed as it emerged that companies may be powerless to prevent criminals stealing their customers’ data.TalkTalk chief executive Dido Harding has insisted the company’s cybersecurity is “head and shoulders” better than its competitors in the wake of the massive hack attack affecting thousands of customers. TalkTalk said on Friday it had received a ransom demand from an unidentified party for the attack, which has led to calls for greater regulation of how companies and public bodies manage personal data. TalkTalk is nonetheless reeling from a cyber-attack on its website that knocked as much as 11 percent off its market value at one point on Friday, and put the London-based company in the headlines around the world for all the wrong reasons.

Security experts said that the so-called snooper’s charter, which will give British spies access to telecommunications data by law, will “sabotage” attempts to defeat cyber crime by creating a “back door” through which hackers can enter. In an interview with the Guardian, Harding conceded it would be “naive” to rule out the prospect of the telecoms firm suffering a similar cyber-attack in the future, describing the threat from hackers as “the crime of our generation”. A spokeswoman for BAE’s Applied Intelligence division said the firm’s cyberspecialists were analysing “vast quantities” of data to establish how the breach happened and what information was stolen.

Its predicament, security experts say, shows how hacking has become a danger to virtually all companies regardless of size, prominence, or perceived vulnerability. “How many of the Fortune 500 are hacked right now? Anyone who has typed personal information into a webpage has “had it compromised in some way” because data is frequently left unprotected on computer servers, the experts claimed. Asked about claims by an IT researcher that he raised concerns about TalkTalk’s security with her office last September, Harding said its security had “improved dramatically” in the last year.

As frantic investigations continued at TalkTalk, which still has not ascertained the scale of the data breach, its chief executive said she would leave if her customers demanded it. He said: ‘This could be part of a wider pattern of activity encouraged or even supported by the Russian state as part of an effort to destabilise the West. Speaking to The Telegraph, Dido Harding said: “In some ways I would love to say this is just a TalkTalk issue, I’d love to believe this is just us – but it isn’t. “This is happening to a huge number of organisations all the time. TalkTalk said, despite the security lapse, they would be holding customers to their deals until the police investigation, and their own internal inquiry, had been finished – a process that could take months.

So far relatively few of the highest-profile hacks, like the 2014 crisis at Target Corp. and a recent assault on customers of T-Mobile US Inc., have targeted U.K. or European companies, and their response has been correspondingly restrained. In a letter to customers on Sunday, the telecoms company said the cyber attack was “on our website not our core systems” and “no banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account”.

My job, my company, we exist at the gift of our customers, so our customers will make that decision over time.” The verdict may arrive in the form of an exodus of subscribers to TalkTalk phone, broadband, TV and mobile deals. In its most recent global information security survey, consultancy PricewaterhouseCoopers found almost a quarter of North American companies it surveyed spend more than $5 million a year on cyber-security, compared with about 19 percent in Europe. Harding said it was “too early to say” whether the company will establish a compensation fund to handle the fallout from the attack because it was still unclear how many customers had been affected and to what degree. The British government is concerned that U.K. firms are very vulnerable to attacks both from criminal groups looking for financial gain and state-sponsored cyber-spies, according to a senior security official who asked not to be identified discussing a private matter. Mike claimed that TalkTalk “didn’t seem very interested” when he tried to report it to them and is “positive” that they were being hacked at the time.

Detectives from Scotland Yard’s cybercrime unit are investigating the hack attack specialists amid reports that specialists from BAE Systems have been called in by TalkTalk to track down the hackers. As a result it’s trying to upgrade investigative and intelligence capabilities without creating a moral hazard that would discourage companies from taking steps to protect itself, the official said. In the latest theft, which is being investigated by the Metropolitan Police, the credit card information gained by the hackers was insufficient to make transactions, Baroness Harding said.

Companies seeking to avoid becoming the next TalkTalk, Target or T-Mobile must contend with a bewildering array of potential vulnerabilities within their own systems and those of vendors and customers. Joe Sturonas, chief technology officer at US encryption specialists Pkware, said: “Many companies have only focused on encrypting devices and networks, but have largely avoided encrypting the data itself. “What has been demonstrated time after time is that getting past the devices and networks protection is possible.

And even a robust security system can be defeated by a careless employee who opens the wrong attachment or plugs a USB key infected with malware into an office computer. It’s usually tempting to say there will never ever be another attack but that would be naive.” Paul Moore, an information security consultant, wrote in a blogpost published last September that he had contacted Harding’s office about vulnerabilities on TalkTalk’s website but said the company’s response was “aggressive, defensive and dismissive”. A 2014 hack at JPMorgan Chase & Co. used stolen login details to access a server that didn’t require “two-factor authentication,” or a one-time code generated with a physical device or sent by text message, for entry. Goodness knows I’ve been one of its biggest fans … and it’s not right that having lost your bank account number and sort code that people can take money from your bank account – they can’t.” Harding insisted that TalkTalk would “thrive” following the attack if customers saw that it was being transparent about what had happened. It’s in the interest of security companies and consultants to overstate risks and their ability to respond to them, said Ross Anderson, a professor of computer science at the University of Cambridge.

For the most part, “cyber-criminals do volume petty crime and take care to stay below the thresholds” that would attract a significant law-enforcement response, he said — an annoyance to companies, but not an existential challenge. What we’re trying to do – and it’s very painful and hard for everybody in the organisation working their socks off – is to be open and transparent about it and share the information maybe earlier than people are used to, so we can warn our customers and protect them.”

TalkTalk over the weekend told customers that it yielded only partial credit-card numbers, and that fewer customers than it originally thought were affected. The real risks of cyber-hacking may only become clear if and when critical infrastructure — like power plants and water grids — comes into the cross-hairs for attack by sophisticated groups. Some companies or governments “are certainly going to come up short if subject to a real significant and sustained attack,” said Robin King, CEO of U.K. -based cyber-defense company Deep Secure. “I do not think we have yet seen the tip of the iceberg.”

Here you can write a commentary on the recording "Boss of hacked talktalk warns of cyber security ‘arms race’".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site