For a cyberattack to happen once is bad but twice or thrice? Ask TalkTalk, which last week admitted to being on the receiving end of a third compromise in the space of a year, an extraordinary sequence of failure by any standards.
The fact that TalkTalk has been here before shouldn’t obscure the fact that something has changed since the compromise made public in February 2015 which the company explained away with self-serving bluster. After that incident, no excuse was left unsaid as the firm tried to shift responsibility away from itself but this time the world learned that TalkTalk has a flesh and blood CEO called Dido Harding, who put herself up for TV interviews with almost masochistic delight. It was as if looking and sounding clueless was positive as long as it was done with honesty and charm.
We applaud Harding for daring to look and sound clueless because that tells us more about the state of security than any clever soundbite but there remains a danger that complacent language lurks just below the surface as a fallback.
Here we’ve collected together some of the worst examples of 'breach speak', some used by TalkTalk itself in the past. But all of them have in some form made an appearance in the aftermath of other previous UK data breaches, which seem to be getting more frequent. At some point CEOs will realise that breaches are not simply an inconvenience for their companies and investors so much a disaster for customers. Chief executives simply have a lot to worry about and security is pretty abstract until disaster strikes. But change will surely come – eventually.
TalkTalk and beyond - “The attack was sophisticated”
Describing an attacks as “sophisticated” is the stock moral defence for organisations suddenly and unexpectedly on the receiving end of a breach or incursion, the sub-text being that the attackers were so clever no organisation could be expected to resist them. It’s complete nonsense of course. With the possible exception of nation state attacks by intelligence services such as the NSA which know of obscure weaknesses, very few attacks are sophisticated or even need to be. The idea that complexity is a prerequisite for cyberattacks ignores a large body of evidence that it is poor security practice, security policy and IT complexity that fuels most successful incidents.
The word “sophistication” reared its head in the aftermath of the August attack against TalkTalk although that claim has never been explained. It rarely is. Someone inside TalkTalk had the good sense not to use the same word for the latest attack, which could turn out to be just as well. Unconfirmed indications are that it involved an SQL injection attacks, about as far from sophistication as it is possible to imagine. Organisations with the resources of TalkTalk should be able to test their websites for this kind of well-known problem on a regular basis.
Next: "serious and unprecedented"
TalkTalk and beyond - “the attack was serious and unprecedented”
None of the cyberattacks companies are experiencing in 2015 – including the attack on TalkTalk - are unprecedented and to pretend so is simply a mechanism for pulling the wool over the eyes of a gullible public. What the organisation usually means when “unprecedented” is wheeled out is “unprecedented for us”. If TalkTalk ever reveals the attack chain it is incredibly unlikely that the MO was any different to countless attacks on other companies before it. As for “serious”, all cyberattacks are serious, which renders the use of the word somewhere between redundant and tautologous.
TalkTalk’s version of this phrase was to describe the October attack as “significant and sustained.”
TalkTalk and beyond - “we are assessing what happened”
A euphemistic way of saying they have no idea what happened but are paying third-party companies a large amount of money to find out. More to the point, customers are never told what happened when they do find out – assuming they ever do. Nor do regulators which have no defined right to know unless there has been a prima facie breach of the Data Protection Act. The ICO can in theory fine firms up to £500,000 if it has evidence of negligence or bad practice but the ICO seems more obsessed with digging its claws into SMEs than tackling the difficult topic of corporate behaviour. And what would that sort of fine mean to a large company anyway? A financial scratch at best.
TalkTalk and beyond - “we are deeply sorry”
Chief executives have to say this because it’s polite but in most cases their evasive terminology conveys the opposite. By downplaying their own responsibility, or upgrading the cyberattack to almost supernatural in its power, the impression is created of an organisation that sees itself as the primary – nay sole - victim.
CEO Dido Harding cut a rabbit-dazzled-by-headlights figure in TV interviews after the recent attack but gained some credibility for even appearing. Too often CEOs hide behind emails and press release statements, as if they are detached from the problem. Harding took the riskier and braver path, associating her face and reputation with the incident. But in some of her statements, self-pity still crept in, as it often does.
“We are understandably the punch-ball for everybody wanting to make a point at the moment. Nobody is perfect. God knows, we’ve just demonstrated that our website security wasn’t perfect – I’m not going to pretend it is – but we take it incredibly seriously,” she told The Guardian.
Next: “our customers are always our highest priority”
TalkTalk and beyond - “our customers are always our highest priority”
Apparently some organisations genuinely believe this despite large amounts of evidence to the contrary. However earnestly some chief executives trot out this platitude, a commercial organisation’s first priority is always to its shareholders or owners and – in the fashion of modern capitalism - its senior management. Sometimes the employees get a look in but the customers? They are shadows, records in a database, people whose influence and importance is entirely abstract.
In the US, customers are typically offered an insulting one year of credit monitoring as if the data stolen has some kind of imaginary shelf life that runs out after 12 months. But stolen names, addresses and dates of birth are valid for a long time, possibly forever.
It’s not clear what if anything TalkTalk customers will be offered should personal data turn out to have been compromised on any scale.
TalkTalk and beyond - “financial records were not compromised”
This is by far the worst excuse of all and is trotted out again and again and again by breached firms, almost reflexively. It’s as if suffering a data breach is somehow less serious if credit card data was not compromised but personal data was. The fact that unscrupulous cybercriminals now have the unchangeable facts of the identities of millions of people is seen as a mere detail when it could in time have serious consequences for those people, months years or even decades in the future. The credit card, meanwhile, can be changed in five minutes and any liability for fraud will lie with the breached firm or its insurers anyway.
The industry is fixated on its own standards when it comes to encrypting credit card data, using PCI DSS (no in version 3.0) as its benchmark. But as its full name makes abundantly clear (Payment Card Industry Data Security Standard) PCI was invented to serve the needs of payment processors, not the people who use the system. It was invented to protect them, not us.
More significant is the EU General Data Protection Regulation (GDPR) which effectively mandates encryption of all customer data and in theory also allows companies to avoid breach notification in some circumstances if this has been used competently. Due to be fed into the system in 2016 it will require teeth by 2018.
TalkTalk and beyond - “It won’t happen again”
In all likelihood it will happen again and having suffered other recent cyber-breaches, TalkTalk at least hasn’t tried to push this bogus message. Any breached firm thinking of coming out with this line should instead devote its effort to explaining how the attack happened so it can publically learn from the experience. Without acceptance and learning, there can be no change because what is the incentive to do things differently?
What about Accountability?
Does this exist in modern business? CEOs tell the world it does but too often its seems that it is the judgment of the market and investors that counts, not the customers who perhaps suspect that rivals might be just as bad anyway and don’t bother to change. How many people will walk from TalkTalk over its record of cyberattacks? Probably not that many.
A complicating factor for TalkTalk CEO Dido Harding is that she’s a Conservative peer, appointed to the House of Lords as a Baroness and this gives her management of TalkTalk a political dimension. She has accused some politicians that have criticised her of “grandstanding”, a coded way of implying that their attacks are motivated by party loyalty than any concern that she be held accountable. Let's see how long this defence protects her.