Communicating a Cyber Attack - A Retrospective Look at the TalkTalk Incident
By Kat Demidecka, 14 Dec. 2015
The recent breach at TalkTalk received extensive coverage in the media and led to several conflicting reports on the extent of the compromise. This blog post will look at how this investigation unfolded and discuss our recommendations for managing communications around cyber security incidents.
TalkTalk initially released a statement revealing that they had suffered a DDoS attack against their website and that as a result potentially 4 million customers’ sensitive data could have been compromised, including names, dates of birth, addresses, contact details and bank details. Several days later this was increased to an even larger figure after speculation that data belonging to former customers could also be at risk.
The statistics around the huge number of customers potentially affected caused a media frenzy, leaving customers fearing the worst and unsure of what action to take. In the aftermath of the incident, the TalkTalk website was taken offline and within a few hours the company’s share price dropped by 10%.
Over the following month, TalkTalk issued a number of statements, through which it was gradually revealed that data was actually lost via a SQL injection attack and, fortunately, only 160,000 of customers had lost their personal data to cyber-criminals. As a result these customers became vulnerable to scams; for example, armed with knowledge of an individual’s name, address, contact details and bank name, an attacker may be able to convince that person they are calling from the bank. Crucially the debit and credit card numbers that were stolen were redacted and so could not have been used by criminals to process fraudulent financial transactions. Details of exactly what data was lost can now be found on the TalkTalk website.
The majority of TalkTalk’s statements were issued by the Chief Executive who, to her credit, took an honest approach in responding to the media’s questions, admitting that it was unknown how many customers were affected and that she didn’t know whether or not the data accessed was encrypted. She had received a ransom demand from someone claiming responsibility for the attack and made a decision to assume the worst case scenario until further information was known. However, despite good intentions, this had serious ramifications and likely aggravated the situation.
Speculation that 4 million customers may have been affected meant that this incident likely received more publicity than it otherwise would have. This led to much negative press for the company and considerable loss of customer trust.
At the same time, the huge media attention heightened the publicity of the hacktivist group claiming to have been responsible for the attack (although there is insufficient evidence to support their claim), which can only have been seen as a positive result for them, helping to promote their agenda to a wide audience.
The poor technical information provided at the beginning of the incident – for instance the miscommunication around the type of attack responsible for the data loss, and the doubts about whether or not the stored data was encrypted – raised concerns around the organisation’s ability to cope with such an attack, undermining the credibility of the technical specialists undertaking the investigation. It also questioned whether TalkTalk were able to adequately protect sensitive customer data, before or after the incident.
However, it is easy to look back with the knowledge of what actually happened and, without any time pressure, come up with a more appropriate course of action. Had it been the case that the attack was as severe as it could have been, and TalkTalk had taken too long to release the information, they may have been criticised for covering up the compromise and not being transparent to their customers. Therefore, what is the best approach for dealing with a cyber-attack of unknown scale and consequence in such a high pressure situation?
Firstly, whilst it may be necessary to quickly alert customers to the incident, speculation on the details of the attack should be avoided whilst the investigation is still taking place. For example in the case of the TalkTalk incident, instead of taking a ‘worst case scenario’ approach and warning that all customer data could be compromised, a more accurate and less alarming approach would have been to provide reassurance that the incident was being investigated to determine exactly what had taken place, and that affected customers would be informed and further advice issued as soon as possible.
Secondly, the spokesperson should be well-informed of the investigation. There is no need to launch into radio or TV interviews until the interviewee has had a full internal briefing. In addition, in the current threat landscape where companies are regularly hacked, executives must be able to answer basic questions around how customers’ personal data is protected as much of this will already be known before an incident occurs. If technical details are to be discussed, ensure a technical member of the organisation is the one answering the questions. At the same time, be wary of providing too much technical information whilst the investigation is taking place; the nature of an incident response investigation is iterative and often new information will reveal new insights and new areas of compromise.
Finally, be careful not to fall in to the attackers’ trap. The DDoS on the website may have been performed as a decoy whilst the more severe compromise was taking place, and the ransom message from the purported attackers would have exaggerated the extent of the incident.
The pre-emptive solution to the above issues is to have a strong incident response plan in place. This should detail how each incident should be categorised and prioritised, and list the steps to be taken in order to investigate, report and remediate. Following clear guidelines will reduce the likelihood of being influenced by an external factor such as claims from a malicious third party.
Crucially the plan should include a communications strategy for when an incident occurs, detailing the chain of people who need to be informed. For critical incidents this should include technical specialists, HR, marketing and board level executives, as well as external parties such as the Information Commissioner’s Office. The plan should be regularly reviewed to ensure that it stays up-to-date with changes in the business.
Once this is in place, table top cyber incident exercises that ideally include representatives from each of these areas are hugely beneficial in working through what would happen in the event of an incident and how the process would work: leaving everyone much better prepared to coordinate an effective response and minimise damage if (or when) a real incident takes place.