TalkTalk hired BAE Systems' infosec bods before THAT hack
Plus: Police told us not to answer questions, says telco
Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had "completed" a security audit.
In its annual report, published in June, TalkTalk claimed it had completed key cybersecurity initiatives including the "encryption of hardware and removable media" implementing "a data loss prevention solution," as well as a complete "vulnerability scanning and penetration testing" run-through.
These measures were evidently not sufficient to prevent the data of 1.2m customers being stolen through what has been alleged to be a SQL injection – "an attack vector that has been known for more than a decade and [is] fairly easy to prevent" as Wim Remes, manager EMEA strategic services at Rapid7, the firm behind the Metaspolit penetration testing tool, explained to The Register.
BAE Systems informed The Register that "prior to the incident [we provided monitoring support, but this] was limited to monitoring the corporate non-market facing network." BAE stated it is "progressively increasing [its] monitoring support" adding that the "process is not yet complete but is progressing well."
We asked TalkTalk why it had suggested BAE had been brought in post-hack, despite the annual report's claims that operations at the company's security operations centre already been outsourced to them. We were told: "There is an agreed line with BAE that we need to use here. Don't think the one in there is the one we've used here?"
Clarity was also lacking over when security operations had been outsourced to BAE. We were simply told: "They are world-leading cyber security experts and we were already working with them on aspects of our security."
"Our role is to provide confidential advice to our client," BAE explained when it declined to answer our questions. The defence corporation's infosec arm's role consists of "monitoring for threats and outlining potential risks and actions to mitigate them, as far as possible."
TalkTalk stated it "constantly reviews and updates the security of our systems using internal and external tools and resource."
We have teams working around the clock, with the best experts, to understand what happened and ensure our systems are as secure. Clearly I can’t go into detail about the specific measures we are taking, but I can assure you we have significantly increased the level of protection. This includes a full scan of our sites to detect any residual elements of the attack, rebuilding parts of our site with improved resilience and installing additional barriers against attack. We are also accelerating several ongoing cyber security programmes.
TalkTalk claimed it had increased investment in cybersecurity by a third over the last three years, and it fully expected "to spend even more in the future."
TalkTalk considered the "Potential Impact" of a snafu to be "loss of competitive advantage, regulatory fines, damage to the brand, and ultimately, churn."
However, following delivery of the company's first half financial results for 2015/16 this morning, TalkTalk CEO Dido Harding downplayed churn concerns – the fear that customers would leave for a rival. She stated that customers who had initially attempted to leave after the breach had changed their minds, adding that there were "very early indications that customers think that we're doing the right thing."
Customers who have been in contact with The Register may disagree, however – some still want to leave but the telco refuses to waive their termination fees.
One contacted The Register when £3,500 was stolen from his account days after the breach. TalkTalk refused to waive his termination fee, instead offering him a risible £30.20 in account credit as a "good will gesture [and] final settlement."
Former TalkTalk customers may also have been affected by the most recent breach, though those who have spoken to The Register have complained that they have not heard from the company at all after finding out their data may also have been compromised from public sources.
Another customer pointed out that the telco's attempts to emphasise its competitive advantage had resulted in a "mistake" which incorrectly claimed consumers would save money using it. TalkTalk subsequently retracted this advertisement.
Sponsored: Global DDoS threat landscape report