Cyber security buck stops with me, says Dido Harding
I agree, so now you should resign.
The chief executive of TalkTalk, Dido Harding, has told MPs that she alone is responsible for cyber security at the company, but that the operator does not yet know if the major hack it experienced in October was avoidable. The hack led to the personal details of more than 156,000 people being accessed by hackers and the …
"... advice received from the police was not to warn our customers."
That wasn't advice, it was a request.
"She said that it had been a reasonable position for cops to take as the police's priority was to catch the criminals."
True, but it should have been her priority to protect her customers.
Avoidable or not? Really?
That's such a poor excuse for still having no plans to have one person in charge with sole responsibility for it, sounds as if they've learnt nothing. She's not responsible for it, if she was then she'd have resigned for being so utterly clueless about the subject.
Their complete lack of security let 15 year old children get in with a 17 year old well known vulnerability that they were warned to fix yet did not fix. She "doesn't know if it was avoidable"!? Framing it as dastardly criminals that couldn't possibly be stopped is entirely in the realm of make belief, when they have failed to implement even basic precautions.
She has no business being in a position responsible for individual's data when she is so clueless. An example should be made of their negligence in protecting our data so that other businesses take it seriously, otherwise if you get off with a slap on the wrists why would any business bother to put any money into doing it properly?
Forget terrorism, the biggest threat to cyber security is a spineless ICO that lets these businesses and government orgs make the same schoolboy errors over and over. They need to be knocked out of the bad processes and habits that repeatedly lead to big data breaches.
She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. "One of the most difficult periods was the first 36 hours of the attack," she said. The company had received a ransom demand and had informed the police. "The next day it was very clear there was a real risk material number of customers data stolen."
She said: "I was clear by lunchtime [the next day] that the sensible thing to do to warn customers, that would make them safer. For understandable reasons, advice received from the police was not to warn our customers."
If you can manage to unscramble the nonsense above and turn it into reasonable English, it still remains complete bollocks.
The ransom demand received was pertaining to the DDOS attacks, and there is no possible way that a DDOS can, on its own, cause a loss of customer data, although obviously it can be used to screen other attacks.
That makes a nonsense of the statement "The next day it was very clear there was a real risk [ of a ] material number of customers data [ being ] stolen"
Why would that be very clear? And why would the police have anything to do with that breach, when what they were investigating was a ransom note pertaining to further a DDOS?
The DDOS had nothing to do with the loss of data, and to conflate the two as Dido has, just shows the total lack of grasp she has on the whole affair. It's no wonder they are unable to tell what data is missing yet, when they clearly have no idea what occured.
This whole statement is as confused now as her original outpourings were when the incident happened.
Not having the data in the first place. Which I believe was her point about the "tokenisation" of the credit card numbers - apparently they explicitly did not save six of the digits which make them usable.
Except that they DID have (some of) the data, which means that they could be used in a social engineering attack which is most certainly a 'format' above encryption, not below it.
She said that it had been a reasonable position for cops to take as the police's priority was to catch the criminals.
No, it's an entirely unreasonable position. Even the dumbest, pigshit-thick woodentop would know that their chances of actually getting their paws on the culprits is somewhere around sod-all.
Rather less if, as is usual, the scrotes are happily ensconced in Russia or anywhere else where law enforcement is deaf, dumb, blind, drunk, stupid and susceptible to bribes just in case a miracle happens.
"No, it's an entirely unreasonable position. Even the dumbest, pigshit-thick woodentop would know that their chances of actually getting their paws on the culprits is somewhere around sod-all."
But, erm, they did catch them.
Chances of catching professional black hat - quite slim. Chances of catching a script kiddy who will give themselves away as such in every communication they make - pretty high.
"Rather less if, as is usual, the scrotes are happily ensconced in Russia"
Fortunately the "dumbest, pigshit-thick woodentop" appears to have been brighter than you as several suspects have been apprehended and the nearest to any of them being ensconced in a foreign country is one in Co Antrim, N Ireland.
She said: "I was clear by lunchtime [the next day] that the sensible thing to do to warn customers, that would make them safer...
But she went on to say "...that it seemed a shame to leave the splendid spread that had been laid on for the board, and such a waste. When we had finished at the trough (what a blow-out!) we had a little chat about telling our customers about the cock-up."
Must be nice when your husbands an M.P. it must make these things a lot easier.
She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. "One of the most difficult periods was the first 36 hours of the attack," she said. The company had received a ransom demand and had informed the police. "The next day it was very clear there was a real risk material number of customers data stolen."
Let me dissect this, someone is ransoming you directly probably in a way they think they won't get caught. Why would you want to hide this? Would they then not accept the ransom and just release the data, unlikely.
It seems to me that by not releasing the fact they had been hacked put people in danger of their information being used for nefarious purposes which is just not on. Surely someone on the select committee should have raised this issue?
Seriously, this was a SQL-Injection vuln and they'd been breached 2 previously documented times this year alone....
As to the lack of of a CISO and a well trained security team and droppng to to t he business units to sort this out, I'd suggest this isnt a good idea in todays world.
"Seriously, this was a SQL-Injection vuln and they'd been breached 2 previously documented times this year alone...."
And WTF did she mean about previous attacks being by 3rd parties? Which party were this lot of hackers from? 1st? 2nd? 5th column maybe?
I really don't know if she's as stupid as she sounds or if she's an expert at marketing bullshit and thinks/knows she's talking to technical illiterates.
The unfortunate first response in this country (and many others, we are not alone) when something goes wrong is to blag it and keep blagging it until the evidence is overwhelming, then to back-pedal and claim [insert new excuse here] even after being convicted.
Bernard Woolley: What if the Prime Minister insists we help them?
Sir Humphrey Appleby: Then we follow the four-stage strategy.
Bernard Woolley: What's that?
Sir Richard Wharton: Standard Foreign Office response in a time of crisis.
Sir Richard Wharton: In stage one we say nothing is going to happen.
Sir Humphrey Appleby: Stage two, we say something may be about to happen, but we should do nothing about it.
Sir Richard Wharton: In stage three, we say that maybe we should do something about it, but there's nothing we *can* do.
Sir Humphrey Appleby: Stage four, we say maybe there was something we could have done, but it's too late now.
The Dido Harding one-woman comedy show continues. Immediately after the incident she didn't know what encryption is or if Talk-Talk needed it. Within days she was whining that no one had told her that there's a need to look after personal data and then offered the opinion that there's no law that says that companies need to protect personal data.
Now, suddenly, she's the person responsible for "cyber" security.
At least she serves a useful function as a practical example of the Dunning–Kruger effect.
from the Wicked Witch. I'd actually like to call her something else, but it's so offensive it even offends me.
Dido I don't believe you. If you told me night was day, I still would look outside to check.
My contract is up with TittleTattle and I'm moving to BT - it's actually not even any more expensive, except I get a 40GB cap - I can live with that.
I had my details stolen and talk talk lied to me by omission, if not outright (which they probably would have should I have wasted my time to spend 8 hours on the phone to the Phillipines just to be cut off, again).
They really are an insufferable bunch of pricks, and next year I'm voting with my feet.
[God it must be bad - happy to go to BT - but still I really have to kick these jokers where it hurts]