The reaction to the latest big leak (from TalkTalk) has been interesting … there's a certain amount of sympathy for TalkTalk, with people blaming the cybercriminals and claiming that no system can be made fully secure. There's a nugget of truth in saying something like that, but it's not the whole truth.
Yes, there is a truism within the security world that there is no such thing as a secure computer; or rather that the only secure computer is one that has been turned off, had it's disks thrown into an active volcano, has been entombed within a huge concrete block, and has been buried at the bottom of the Mariana Trench (add as many ways of saying "unreachable" as your audience can stand). But it's a truism, and isn't supposed to be used as a get out of gaol free card by anyone getting their data hacked.
If it is true about the ransom demand (and it's not impossible that the ransom demand came from someone other than the group that hacked TalkTalk), the hackers were probably just after money. In which case they didn't target TalkTalk directly; they probably targetted all of the big ISPs and picked the "low hanging fruit". That translates as the hackers did a vulnerability scan of all the ISPs and found that TalkTalk were the easiest to attack.
And it is not as if this has not happened before :-
- http://www.actionfraud.police.uk/millions-of-talktalk-customers-vulnerable-to-fraud-after-data-breach-feb15
- http://www.actionfraud.police.uk/news/carphone-warehouse-hacked-2.4-million-customer-details-stolen-what-to-do-if-you-have-been-affected-aug15 (this was Carphone Warehouse but TalkTalk customers were effected)
Looks like they keep getting hacked (and these are just the ones that we know about). By selling the details on, the hackers will have already made plenty of money from hacking TalkTalk.
Yes, ultimately the cybercriminals are responsible for hacking TalkTalk and stealing the data, but that does not mean that TalkTalk are not to blame for not taking adequate action to protect themselves against hacking. There is a whisper that this hack was due to an SQL injection attack which isn't some kind of masterclass hacking attack, it's in the hands of script kiddies. And is prima faca evidence that TalkTalk haven't reviewed their code for security vulnerabilities for years.
There's calls for the government (it's interesting how the free market fans always cry help to the government every time they encounter a problem) to tackle cybercrime. But it is also time to give the Information Commissioner the power to fire company executives, and use it against the TalkTalk executives. Simply blaming the cybercriminals lets executives who are asleep at the wheel to get away with their incompetance.
And perhaps the Institute of Directors should start talking about minimum budgets for IT security.
But more importantly, it is essential that security is deeply embedded throughout every department of IT; it is all too easy to establish security tokenism. Simply appoint someone in charge of security, and then say "No" to any suggestion that requires money or incovenience.
