back to article Cyber security buck stops with me, says Dido Harding

The chief executive of TalkTalk, Dido Harding, has told MPs that she alone is responsible for cyber security at the company, but that the operator does not yet know if the major hack it experienced in October was avoidable. The hack led to the personal details of more than 156,000 people being accessed by hackers and the …

  1. LucreLout

    Cyber security buck stops with me, says Dido Harding

    I agree, so now you should resign.

    1. Little Mouse

      Re: Cyber security buck stops with me, says Dido Harding

      Or maybe, to paraphrase Colin & Fergus, Dido could follow in the footsteps of the Dodo, Dodi, Di & Dando.

      Sorry. A bit tasteless, I know.

      1. Anonymous Coward
        Anonymous Coward

        @Little Mouse

        Are you suggesting she follows the steps of her namesake, the Queen of Carthage?

  2. frank ly

    Striking a balance is difficult

    "... advice received from the police was not to warn our customers."

    That wasn't advice, it was a request.

    "She said that it had been a reasonable position for cops to take as the police's priority was to catch the criminals."

    True, but it should have been her priority to protect her customers.

  3. Halfmad

    What the actual ffffFfffffu?

    Avoidable or not? Really?

    That's such a poor excuse for still having no plans to have one person in charge with sole responsibility for it, sounds as if they've learnt nothing. She's not responsible for it, if she was then she'd have resigned for being so utterly clueless about the subject.

  4. Anonymous Coward
    Anonymous Coward

    Their complete lack of security let 15 year old children get in with a 17 year old well known vulnerability that they were warned to fix yet did not fix. She "doesn't know if it was avoidable"!? Framing it as dastardly criminals that couldn't possibly be stopped is entirely in the realm of make belief, when they have failed to implement even basic precautions.

    She has no business being in a position responsible for individual's data when she is so clueless. An example should be made of their negligence in protecting our data so that other businesses take it seriously, otherwise if you get off with a slap on the wrists why would any business bother to put any money into doing it properly?

    Forget terrorism, the biggest threat to cyber security is a spineless ICO that lets these businesses and government orgs make the same schoolboy errors over and over. They need to be knocked out of the bad processes and habits that repeatedly lead to big data breaches.

  5. Alister

    She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. "One of the most difficult periods was the first 36 hours of the attack," she said. The company had received a ransom demand and had informed the police. "The next day it was very clear there was a real risk material number of customers data stolen."

    She said: "I was clear by lunchtime [the next day] that the sensible thing to do to warn customers, that would make them safer. For understandable reasons, advice received from the police was not to warn our customers."

    If you can manage to unscramble the nonsense above and turn it into reasonable English, it still remains complete bollocks.

    The ransom demand received was pertaining to the DDOS attacks, and there is no possible way that a DDOS can, on its own, cause a loss of customer data, although obviously it can be used to screen other attacks.

    That makes a nonsense of the statement "The next day it was very clear there was a real risk [ of a ] material number of customers data [ being ] stolen"

    Why would that be very clear? And why would the police have anything to do with that breach, when what they were investigating was a ransom note pertaining to further a DDOS?

    The DDOS had nothing to do with the loss of data, and to conflate the two as Dido has, just shows the total lack of grasp she has on the whole affair. It's no wonder they are unable to tell what data is missing yet, when they clearly have no idea what occured.

    This whole statement is as confused now as her original outpourings were when the incident happened.

    1. Mark 85

      I thinks she subscribes to this rule: "If you can't dazzle with brilliance, baffle with bullshitte".

      1. Captain DaFt

        >I thinks she subscribes to this rule: "If you can't dazzle with brilliance, baffle with bullshitte".<

        In her case it appears to be more like: "If you're totally baffled and clueless, spray bullshit everywhere."

  6. Snivelling Wretch

    "Clearly there is a lot more we can and will do going forward."

    Which also means there was a lot more you could and should have done previously.

  7. td0s

    "There’s a temptation for people to think that encryption is a kind of silver bullet, that if you encrypt everything it will be OK. For some sorts of data [it's] not a high enough format."

    so let's not encrypt anything - also what is the "format" above encryption?

    1. Hans Neeson-Bumpsadese Silver badge

      "what is the "format" above encryption?"

      Double encryption. That's why I encrypt everything using double ROT-13

      1. John G Imrie

        Double ROT-13 is not good enougth

        In these days of Unicode you need Double ROT-557056

        1. g00se
          FAIL

          Re: Double ROT-13 is not good enougth

          Not having the data in the first place. Which I believe was her point about the "tokenisation" of the credit card numbers - apparently they explicitly did not save six of the digits which make them usable.

          Except that they DID have (some of) the data, which means that they could be used in a social engineering attack which is most certainly a 'format' above encryption, not below it.

      2. Mark 85

        I think it has to be "double, secret, encryption"...

    2. Raumkraut

      what is the "format" above encryption?

      Not having the data in the first place. Which I believe was her point about the "tokenisation" of the credit card numbers - apparently they explicitly did not save six of the digits which make them usable.

  8. TeeCee Gold badge
    WTF?

    Really?

    She said that it had been a reasonable position for cops to take as the police's priority was to catch the criminals.

    No, it's an entirely unreasonable position. Even the dumbest, pigshit-thick woodentop would know that their chances of actually getting their paws on the culprits is somewhere around sod-all.

    Rather less if, as is usual, the scrotes are happily ensconced in Russia or anywhere else where law enforcement is deaf, dumb, blind, drunk, stupid and susceptible to bribes just in case a miracle happens.

    1. Anonymous Coward
      Anonymous Coward

      Re: Really?

      "No, it's an entirely unreasonable position. Even the dumbest, pigshit-thick woodentop would know that their chances of actually getting their paws on the culprits is somewhere around sod-all."

      But, erm, they did catch them.

      Chances of catching professional black hat - quite slim. Chances of catching a script kiddy who will give themselves away as such in every communication they make - pretty high.

      1. Vic

        Re: Really?

        But, erm, they did catch them.

        They caught someone. It remains to be seen if they caught the right ones...

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Really?

      Rather less if, as is usual, the scrotes are happily ensconced in Russia or anywhere else where law enforcement is deaf, dumb, blind, drunk, stupid and susceptible to bribes just in case a miracle happens.

      Middlesbrough?

    3. Doctor Syntax Silver badge

      Re: Really?

      "Rather less if, as is usual, the scrotes are happily ensconced in Russia"

      Fortunately the "dumbest, pigshit-thick woodentop" appears to have been brighter than you as several suspects have been apprehended and the nearest to any of them being ensconced in a foreign country is one in Co Antrim, N Ireland.

  9. circusmole
    Happy

    Well, you have to eat, don't you?

    She said: "I was clear by lunchtime [the next day] that the sensible thing to do to warn customers, that would make them safer...

    But she went on to say "...that it seemed a shame to leave the splendid spread that had been laid on for the board, and such a waste. When we had finished at the trough (what a blow-out!) we had a little chat about telling our customers about the cock-up."

  10. Anonymous Coward
    Anonymous Coward

    Must be nice when your husbands an M.P. it must make these things a lot easier.

    She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. "One of the most difficult periods was the first 36 hours of the attack," she said. The company had received a ransom demand and had informed the police. "The next day it was very clear there was a real risk material number of customers data stolen."

    Let me dissect this, someone is ransoming you directly probably in a way they think they won't get caught. Why would you want to hide this? Would they then not accept the ransom and just release the data, unlikely.

    It seems to me that by not releasing the fact they had been hacked put people in danger of their information being used for nefarious purposes which is just not on. Surely someone on the select committee should have raised this issue?

  11. Kane
    Devil

    Misplaced recruitment opportunities

    "What the criminals effectively did was successfully find a needle in a haystack of haystacks."

    Well, then maybe they should be hired to work on PRESTON, the intelligence services may have a better chance of finding the terropedoists.

    1. Anonymous Coward
      Anonymous Coward

      Re: Misplaced recruitment opportunities

      Seriously.

      Someone needs to keep an eye on this for if/when they're recruited as "informants" by GCHQ. They're clearly having enough problems hiring actual professionals as it stands to be properly on the table.

  12. heyrick Silver badge

    You know, in some other cultures...

    ...the response expected of somebody who failed this badly...

    ...would be a self inflicted ritual disembowelment.

  13. Martin hepworth

    avoidable?!?

    Seriously, this was a SQL-Injection vuln and they'd been breached 2 previously documented times this year alone....

    As to the lack of of a CISO and a well trained security team and droppng to to t he business units to sort this out, I'd suggest this isnt a good idea in todays world.

    1. John Brown (no body) Silver badge

      Re: avoidable?!?

      "Seriously, this was a SQL-Injection vuln and they'd been breached 2 previously documented times this year alone...."

      And WTF did she mean about previous attacks being by 3rd parties? Which party were this lot of hackers from? 1st? 2nd? 5th column maybe?

      I really don't know if she's as stupid as she sounds or if she's an expert at marketing bullshit and thinks/knows she's talking to technical illiterates.

      The unfortunate first response in this country (and many others, we are not alone) when something goes wrong is to blag it and keep blagging it until the evidence is overwhelming, then to back-pedal and claim [insert new excuse here] even after being convicted.

  14. Velv
    Facepalm

    Yes, Minister

    Bernard Woolley: What if the Prime Minister insists we help them?

    Sir Humphrey Appleby: Then we follow the four-stage strategy.

    Bernard Woolley: What's that?

    Sir Richard Wharton: Standard Foreign Office response in a time of crisis.

    Sir Richard Wharton: In stage one we say nothing is going to happen.

    Sir Humphrey Appleby: Stage two, we say something may be about to happen, but we should do nothing about it.

    Sir Richard Wharton: In stage three, we say that maybe we should do something about it, but there's nothing we *can* do.

    Sir Humphrey Appleby: Stage four, we say maybe there was something we could have done, but it's too late now.

  15. Lotaresco

    Clueless

    The Dido Harding one-woman comedy show continues. Immediately after the incident she didn't know what encryption is or if Talk-Talk needed it. Within days she was whining that no one had told her that there's a need to look after personal data and then offered the opinion that there's no law that says that companies need to protect personal data.

    Now, suddenly, she's the person responsible for "cyber" security.

    At least she serves a useful function as a practical example of the Dunning–Kruger effect.

  16. Doctor Syntax Silver badge

    In view of http://www.bbc.co.uk/news/technology-35110909 maybe the board should consider leaving security in the hands of someone who actually knows about it.

  17. A Ghost
    Mushroom

    Weasel words

    from the Wicked Witch. I'd actually like to call her something else, but it's so offensive it even offends me.

    Dido I don't believe you. If you told me night was day, I still would look outside to check.

    My contract is up with TittleTattle and I'm moving to BT - it's actually not even any more expensive, except I get a 40GB cap - I can live with that.

    I had my details stolen and talk talk lied to me by omission, if not outright (which they probably would have should I have wasted my time to spend 8 hours on the phone to the Phillipines just to be cut off, again).

    They really are an insufferable bunch of pricks, and next year I'm voting with my feet.

    [God it must be bad - happy to go to BT - but still I really have to kick these jokers where it hurts]

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like