back to article Tardy TalkTalk advertised for a new infosec officer 1 week ago

Embattled telco TalkTalk, under fire for losing four million customers' data to an apparent hack, was hiring an information security officer just seven days ago. Following TalkTalk's announcement of the data breach, which it bizarrely attributed to a Distributed Denial of Service Attack directed at its website, the company …

  1. Anonymous Coward
    Anonymous Coward

    Additional responsibilities

    12. Capable of wringing their hands convincingly

    13. Acting as scapegoat to save the hides of much better paid staff

    14. Not raising "difficult issues" that involve spending money on infosec

    1. BlartVersenwaldIII
      Holmes

      Re: Additional responsibilities

      I was going to suggest:

      15. Parrot "we have no evidence that this information is being used for criminal behaviour"

      ...but apparently TT are already receiving ransom notes.

      http://www.bbc.co.uk/news/uk-34615226

      Point 11 is also interesting, did their last infosec bod leave in the middle of an internal/external audit?

      1. Trigonoceps occipitalis

        Re: Additional responsibilities

        16. Borrow VW's two low level engineers to act as scapegoats.

  2. Oli 1

    Fabulous - i now have a handy link instead of explaining why not to go with TalkTalk.

  3. HmmmYes

    Googling for talktalk info brings me to LinkedIn profile who's job title was 'Lead Information Security & Quality Auditor'.

    ISO9000 *and* computer security. Wow!

    He left March 2015, which was around the time of previous issue.

  4. HmmmYes

    I think the ICO needs to fine TalkTalk for this. About £1k per customer would do.

    1. Fraggle850

      Agree but...

      As per my post the maximum fine that the ICO can levy is apparently £500,000 (hmm, I don't suppose that could be 500k per customer record? Thought not...)

      I hope that the banks transfer the costs of any losses to customers to TalkTalk. They could certainly make the case for doing so.

      1. Anonymous Coward
        Anonymous Coward

        Re: Agree but...

        The legal precedent, if you can use it, from Massachusetts is that each customer record taken is a separate incident.

    2. Anonymous Coward
      Anonymous Coward

      £1K per customer?

      Far too light IMHO

      Serious jail time for the CEO

      Life bans for all the Directors

      etc etc

      £10K compensation for each customer

      In other words, close it down pronto.

      Then and only then will the other ISP's sit up and take notice before it is too late.

    3. Alan Brown Silver badge

      ICO paper tiger

      Not many people realise that the data protection laws leave the way open for those who have been compromised to sue in a private capacity, in addition to the ICO's (feeble) powers.

      I am surprised that class-action suits haven't been floated already.

  5. Fraggle850

    They've contacted the ICO

    So that's okay then. What exactly will the ICO do? Give them a jolly good talking to? The maximum penalty that the ICO can apply is £500,000. I'd have thought that storing banking data for 4 million people in an unencrypted format, along with other personally identifiable information would warrant the maximum penalty. In this case that amounts to 12.5p per record!

    Personally I'd consider this to be criminal negligence and would like to see someone up before the beak and facing time. Chances of this happening given that the Honourable Diana Harding is married to one of call me Dave's best mates?

    1. 0laf Silver badge

      Re: They've contacted the ICO

      Yes it's a shame the new EU DP regulation isn't in force or it would have been 5% of global turnover.

    2. jonathanb Silver badge

      Re: They've contacted the ICO

      Pharmacy2u were fined £130,000 for selling customer info to fraudsters, which I would say is a more serious offence than what Talk Talk did. To be proportionate with that, the fine would probably be about £25,000. But I agree, the fines are way too low to be an effective deterrent.

  6. 0laf Silver badge

    I suspect even a company as dysfunctional as TalkTalk has more than just one lowly ICO in infosec roles especially since they will be reporting to the "Head of Security".

    Head of Security may actually be in the process of changing his/her title to "Scapegoat in Chief / Top Blamehound". Much like the 'rogue' VW engineers that are being liberally coated with executive blame right now in Germany.

    If they were half decent I feel sorry for them because they've probably spent the last 6 months (or 6 years) being told to shut up whenever they pointed out a vulnerability or predicted a problem.

    1. Anonymous Coward
      Anonymous Coward

      Hmm, I don't know.

      This is the perfect time to clean things up. There is a massive balls up, the share price has taken a hit - everything says "get a decent budget now" because it must be visible that the company is doing something.

      The debate about the cost of security usually happens when nothing has happened for a while, and granted, it IS possible to overspend on security (by, for instance, buying every possible toy and getting pen tests in without first getting decent processes in place).

      Whoever steps in now will have their work cut out, but also stands the best possible change of avoiding the scape goat game. Not so much luck later when the noise has died down and the accountants return.

      1. Mark 85
        Meh

        Clean things up... Well their email says they have taken all measures to make their website secure again. For some value of "secure" and "again" (like it was previously????). Meh.....

    2. Chris King

      How about "Blame Magnet" ?

    3. Anonymous Coward
      Anonymous Coward

      I have sat with this type of attitude in my last two jobs before and that is exactly how it works from my previous and current employer. If you find a problem, don't say a word because you simply get crapped on if you do.

      Then 6 months later, what you predicted actually happens and management says they never knew.

      Personally I always look at security with the assumption that everything is always vulnerable. You always looking for holes and you become less complacent with security.

      Anonymous obviously...

      1. Anonymous Coward
        Anonymous Coward

        Re: if you find a problem

        "If you find a problem, don't say a word because you simply get crapped on if you do."

        Good job this management approach isn't widespread. Imagine if this attitude were prevalent in safety critical areas. Oh hang on, no need to imagine, it's been going on for the last five years, "ethics hotline" included. But over two thousand redundancies of skilled engineers, and offshoring much of the remaining work to India, should surely improve matters no end. Well, improve costs anyway. Who cares about quality.

        Toodle pip.

    4. Anonymous Coward
      Anonymous Coward

      "We don't want to hear that"

      When I pointed out the obvious vulnerabilities on our IM System I was told:

      "We don't want to hear that"

      I was accused of "being negative" and "overestimating the extent of the problem".

      We "lost" Credit card and Bank details for many thousand TfL Oyster customers. The data theft hasn't been made public.

      There is no chance that it's going to be admitted publicly because there are minuted records of the meetings in which I (and others) pointed out the vulnerabilities - heads would roll. no chance of that happening in the feather-bedded world of Government Departments!

      AC because I want to keep my post at the moment!

    5. Alan Brown Silver badge

      "Much like the 'rogue' VW engineers that are being liberally coated with executive blame right now in Germany."

      With any luck those "rogue" engineers will have kept the meeting notes and emails from top brass telling them to do it, despite objections.

      Or they could be handsomely paid off for _not_ revealing said items.

  7. Anonymous Coward
    Anonymous Coward

    Welcome to bubble economics IT. Bold! Stylistic!!

    "Just fix something up using too few people, we will worry about the important stuff later, it's gonna be allright."

  8. Doctor Syntax Silver badge

    Is this going to be one of those job interviews where they ask you "how would you deal with...?" and then use the replies to tell them what to do without actually giving anyone the job?

    OTOH I think any candidates going to interview are going to ask some fairly pointed questions of their own, ending with "what budget do you have for all this?"

  9. Your alien overlord - fear me

    Bullet points 3 & 4 - assist the Head of security & Act as expert in all matters.

    Call me old skool but the Head of Security should already be fired since he/she obviously doesn't know security and is probably some 'man manager' type rather than a techie type. I don't know them, only saying from what I've observed.

    1. Doctor Syntax Silver badge

      "Call me old skool but the Head of Security should already be fired"

      Call me even older school but the Board should accept the CEO's resignation. They may need to prompt her for it once they've accepted it.

      In VW's case Winterkorn did the honourable thing in quitting although maybe the generous package tainted this. This seems to be an exception, someone at the head of a business which gets thing this wrong should quit, not make the rounds of the media giving interviews. It would ensure a culture in which things are done right, security gets precedence over marketing and customers can begin to trust the business.

  10. Anonymous Coward
    Trollface

    Easiest job in info sec now...

    Any and all requests to the Board for mucho cash will be nodded through...and lightning never strikes twice, right?

    FWIW, I'd outsource info sec to China. The lads from PLA Unit 61398 can't be beaten!

  11. Anonymous Coward
    Anonymous Coward

    @olaf Not so unusual to have a single lowly tech responsible for all duties described in TalkTalk job role. I speak from personal experience currently in a very similar role, also in a company that is national critical infrastructure... Not best pleased with my present position, in fact I saw TalkTalk job a couple of weeks ago as I was searching job boards, my present role is so unrealistic I even considered the TalkTalk job for a few seconds.........luckily I smelled another trap

    1. Anonymous Coward
      Anonymous Coward

      <Not so unusual to have a single lowly tech responsible for all duties described in TalkTalk job role. I speak from personal experience currently in a very similar role, also in a company that is national critical infrastructure.</i>

      Speaking for my own company, who probably qualify as critical national infrastructure, I'm also unconvinced that infosec has sufficient status and resource. A senior staff grade employee and a graduate for the UK, with the senior staffer reporting to a manager in another country. There's some good stuff been done, our web site passes the "free to web" vulnerability tests, our security staff do try and educate the wider employee base, but its notable that several multiples more effort is put into "customer experience" than into protecting the customer data and thus protecting the company.

      One good thing about the TalkTalk debacle is that it has suddenly and dramatically (if temporarily) elevated the priority of infosec. Every fatcat in the land is see Ms Harding looking increasingly stressed and haggard, and hearing as the news seems to go from bad to worse.

      1. Anonymous Coward
        Anonymous Coward

        Oooh dear. That post wasn't meant to look like that. To judge by my own botched HTML, I may be qualified to join TalkTalk's infosec team.

    2. 0laf Silver badge
      Facepalm

      All I can say is me too.

      Recently I was told to remove references to significant vulnerabilities from a report because they might upset the board.

      Currently studying for CISSP not because I need it to do the job but to get past the HR droids and try to get a decent salary for being ignored and sidelined.

      Infosec might be the subject du jour right now but that'll soon fade. I'd rather be paid well to be ignored than paid poorly.

  12. Anonymous Coward
    Anonymous Coward

    DDoS attack probably just a distraction

    Gets the security and IT people focussed on that whilst the data is stolen by another method. Internet version of a classic pickpocket technique.

  13. Paul 18
    Thumb Up

    BOFH "Nailed it"

  14. Androgynous Cowherd

    I reckon it's been going on for months. Each time I've tried to login to the TT website, it's been painfully slow, 404's etc...rarely reliable.

    Slack aresd cnuts

  15. Anonymous Coward
    Anonymous Coward

    I notice that at the bottom of the letter they recommend Experian as one of the people to check with. They definitely need an infosec officer.

    1. Mark 85

      Experian = cheapest

      Experian != best

      1. Anonymous Coward
  16. wheelbearing
    Go

    Odds on Dido to go?

    She should do the decent thing - third time unlucky - and go. The shareholders should demand this unless they want to see their assets plummet further and their customers data plundered wholesale yet again (of course it may be too late and they will, as did Sony, have to suffer yet more public pain).

    Dido has displayed quite incredible hubris over the last year given the repeated clear warning signs of the infosec problems at TT, If nothing else, the very obvious and well publicised examples of infosec fails at other suffering corps should have pursuaded her that TT needed to pull it's corporate finger out and pay much much more than lip service to the scale of the risks involved .

    The head of an IT business that still doesn't seem to really get why IT security should be top of her to do list when repeatedly burned should resign in favour of one who does.

    Unfortunately there is very likely a dearth of such tech savvy C level execs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Odds on Dido to go?

      The head of an IT business....

      TalkTalk aren't really an IT business, they are barely even a telecoms company. They are primarily a telecoms supplier who retail services mostly bought wholesale, and as is the current fashion they have outsourced everything they possibly can, because that way they can sack expensive UK based workers, and give the money to their obscenely over-paid, and utterly incompetent board.

    2. HmmmYes

      Re: Odds on Dido to go?

      Odds? 0% Zilch. None.

      I would not use th word hubris.

      More total ignorance, clueless but, hey, the salary cheques still keep arriving.

  17. This post has been deleted by its author

  18. Fihart

    Not just confusion marketing. Confusion.

    Listening to Talk Talk's boss on Radio 4 this morning she sounded shaken, and appeared more so in later TV interviews.

    There seems a perverse kind of justice here -- I've wasted hours trying to tie down the actual cost of selecting various ISPs due to the confusing and incomplete pricing displayed in ads and on websites. Talk Talk's current offer seems terrific value (e.g. free internet for 12 months) but averages out over an 18 month contract at about the same as competitors, once you add in charges for "phone packages" Can't quite see why I'd pay for the ability to use a phone line when it has to be there anyway, while also being charged for calls.

    I'm almost inclined to call their sales people while this debacle unfolds on the assumption that they won't be too busy and may be begging to do a deal, any deal.

  19. Captain DaFt

    Well, it's all better now, innit?

    After all, They've emailed their clients an Official response!

    Good grief, what more do you expect them to do?

    (Post may contain traces of sarcasm)

  20. Commswonk

    Am I the only person who thinks...

    ...that the problem is more deep seated than poor infosec?

    To quote from the original article "Earlier today TalkTalk's chief executive, Dido Harding, apologised for the company's lax security practices.

    Looking at the list of "Primary Responsibilities" I would argue that there is a complete lack of clarity on exactly who is responsible for what. Anybody courageous (or daft) enough to apply for this job will find him/herself saddled with a list of responsibilities, while at the same time having to answer to a Head of Security, who, it must be said, has clearly failed in his (or her) job so far.

    Any upward reference based on a clear assessment of what actions are required is going to hit a brick wall because a more senior person agreeing with those proposals is tacitly admitting that whatever is recommended ought to have been done long ago.

    I also find myself wondering exactly who has Ensure compliance with the Data Protection Act in his or her Job Description.

    IMHO the published Job Description shows woolly thinking on the part of TalkTalk's very own Catbert, and it may be indicative of a wider failure to make sure that the various jobs to be done are correctly allocated to people of the right standard in the right order of seniority.

    I suspect that potential applicants will be putting a stop on their submissions immediately, and breathing a sigh of relief at getting a timely warning of what they would be saddled with if they had actually succeeded.

  21. cantankerous swineherd

    wikipedia interesting on the subject of The Baroness Harding of Winscombe: ppe (wouldn't you just know) alongside call me Dave, McKinsey, paid 8 million in 2014, on the court of the BoE and so it goes on.

  22. Joe Montana

    Deep rooted problems...

    Most companies have severe security problems, most corporate networks are horrendously insecure and basically an accident waiting to happen.

    Yet companies do nothing about it, they bury their heads in the sand... They assume that because they have not yet become the subject of a high profile breach that they must be secure. Even when they do hire competent infosec people, those people are usually completely hamstrung.

    The quote on yesterday's article was great:

    "Complacency is the biggest enemy of security, just because things 'have always been done a certain way' doesn't mean it remains the most effective way. "

    Most companies are complacent, they are happy to make the same stupid mistakes because "everyone else is doing it", they assume they are secure because they haven't been (that they're aware of) hacked yet but the reality is that they've just been lucky and/or aren't worth targeting.

    1. Anonymous Coward
      Anonymous Coward

      Re: Deep rooted problems...

      Most companies are complacent, they are happy to make the same stupid mistakes because "everyone else is doing it"

      Well, there is always "something more important to do" and "we can't afford to slow down now" and "we can't say no this customer, stop wasting your time on security".

      This is why companies should be governed by a board of people who have risen up through the ranks on merit, not by a charismatic and dynamic "leader" who starts Barbarossa operations on a whim.

      1. Anonymous Coward
        Anonymous Coward

        Re: Deep rooted problems...

        This is why companies should be governed by a board of people who have risen up through the ranks on merit, not by a charismatic and dynamic "leader" who starts Barbarossa operations on a whim.

        Will you change that view if the charismatic leader offers you the chance to strut around in a cool-as-fuck Hugo Boss uniform?

  23. N2

    Big deal

    You simply can't change a history of instituional carelessness in a week, a year maybe.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like