HiddenText Ltd

Talk Talk – a lesson learned for us all

/

, ,

Once Talk Talk was breached not only were the authorities and technical teams going into battle, but so was the PR machine.

7am in the morning the CEO is on as many news outlets as possible telling everyone that they had been breached. The details were still sketchy which is to be expected when they have only just discovered the breach, but nevertheless, they were able to say what the worst case possible would look like. Full details for their full subscribers and some of that data may not be encrypted. This is true for any retail or similar provider. They kept re-iterating, we cannot release full details as this is a criminal investigation and quite rightly, they could not therefore give full and accurate information.

By midday, it was clear that the information we were being given was being shaped. The language of the CEO was very much “hey, look, we dropped the ball, but we’re doing our best right now” but the language was still around possibly, worst case scenario etc.

To further add colour to the story were the details from the public domain about potential attackers and then a spokeswoman (not the CEO) mentioned about a ransom. I am not sure if that was actually a piece of information that should have been leaked as it is the only definite piece of information they had given at that point.

Over the weekend we then hear that the data is on the dark web for some significant value and the seller appears to be a genuine bad guy ! But think about it … you have all these records which are crippling a telecom and you’re only selling them for $80k … seems a little low ?

 

The PR machine that was helping the CEO, the incident response that underpinned the technology side of the comments was pure brilliance.

Tell the world it could be 4 million records

Tell the world, there may be some un-encrypted data

Set them up for a huge damaging breach and suffer a one day dip in share price.

 

Dont’ forget also, this happened on a Friday so trading would have been cautious on this stock and conservative on the news which is why by the close of day, the share price wasn’t in too bad a place. In fact it looks like even with the dip, it is still following the falling trend.

LINK

Then came the email the consumers were looking for – more details and some good news :

  • The number of customers affected and the amount of data potentially stolen is smaller than originally thought. Our website was attacked, but our core systems weren’t and remain secure.
  • On its own, none of the data that may have been accessed could be used to leave you financially worse off.
  • We don’t store unencrypted credit or debit card data on our site, so any card details which may have been accessed have the 6 middle digits blanked out. For example, it would appear as 012345XXXXXX6789. This means it can’t be used for financial transactions.
  • No My Account passwords have been accessed.
  • No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.

When the news comes out that it isn’t so bad, and actually, none of the data leaked could affect your bank account records, minimal towards iD theft, then they’re looking like the good guys. In fact, they look like they are actually quite a hero – no servers affected, quick response, all data encrypted, all credit card numbers are obfusticated – in fact, job well done! Also, every bank was notified of the subscribers so that the banks could even monitor accounts. Which again, smart move.

Even with this news, they have offered all 4 million subscribers at iD protection from Noddle.  The cost to the consumer would normally be £20. Given they have just turned up with 4 million users, they would definitely have got a significantly reduced fee, let’s guess at £10 per subscriber – total outlay £40 million. Most companies hold this in reserve for such incidents so well done to them in organising it so quickly (I have already received my code).

 

So the lessons learned for us all are :

  1. Have a good technology plan for your incidents. Know who to call and when and in what order.
  2. Have a good PR plan. Know how to reach out to media agencies, have people with media training that know how to be grilled without cracking and can stick to the story.
  3. Control how information gets out about your incident.
  4. Give minimal accurate information at first while you work out what the reality of the matter is. How often do we see breach numbers seemingly spiral out of control.
  5. Your customer service team is your army, equip them well with the same story you have and do not let them deviate.
  6. Have plenty of staff ready to deal with the calls.
  7. Assume the worst and show the world what that could look like – take the temporary hit ONLY and only if you know that the real news is better.
  8. When better news comes out, go directly to your users first. Hit them with the mailshots BEFORE the media. The media therefore cannot dig any more information as it is out in the wild.
  9. Have a contingency fund allocated for this kind of incident – not insurance, actual reserve capital. Why, well, an insurance company will try and squirm out of paying you and will not wire the money straight away.
  10. Remain calm throughout the whole engagement.

 

So, question to you…

I assume you work for an organisation, doesn’t matter the size. I assume also that you are selling something or providing a service to others. Right so far?

  • What is your incident plan?
  • Who in your organisation could take a grilling on national television after only a couple of hours sleep by a news reporter who is out to find a unique angle in a story and will press every button they can get to to get you to crack
  • How big is your contingency fund?
  • Do you have a telephone number for a law enforcement agency with cyber capabilities in a plan that all the C-suite, executives, senior management team know where it is and what to do with it?
  • When did you run the last FULL (not paper, desk-based) incident for the team to respond to and how well did you do?
  • How well are you monitoring things that you can detect unusual traffic and have the ability to take the servers offline within a couple of hours?

 

If you do become a victim of this crime, please contact :

Action Fraud UK

http://www.actionfraud.police.uk/

Telephone : 0300 123 2040

Good Luck and Stay Safe!

Stuart Coulson @SPCoulson

 

[contact-form][contact-field label=’Name’ type=’name’ required=’1’/][contact-field label=’Email’ type=’email’ required=’1’/][contact-field label=’What did you think of the Talk Talk response ?’ type=’textarea’ required=’1’/][contact-field label=’How would your own organisation cope ?’ type=’text’/][/contact-form]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.