Businesses that are successfully hacked in the same way British telecoms company TalkTalk was last year should face “significant fines,” a UK government report recommends.
“Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent,” Jesse Norman MP, chair of the Culture, Media and Sport committee said.
Meanwhile, CEO Dido Harding has been granted a £220,000 bonus for the year — which the company says she is donating to charity.
TalkTalk was hacked in October 2015, and 157,000 of its customers’ data was accessed (despite initial estimates of much higher). The hackers got in using an “SQL injection,” people close to the hack told Business Insider at the time, and carried out the attack for “sh-ts and giggles.”
An SQL injection is a pretty rudimentary attack, and it’s easy to prevent against. It’s a way to input malicious commands into a database in order to get a dump of information or to gain access to a machine, and has been known about for more than 15 years.
But TalkTalk didn’t adequately protect against it, and the hackers exploited this — with the company losing 100,000 customers and an estimated £42 million in the subsequent fall-out.
Six people have since been arrested, almost all of them teenagers.
The Culture, Media and Sport committee now thinks companies have an obligation to be more proactive in protecting against attacks like these.
The committee’s report into cybersecurity, published Monday, talks about the responsibilities of companies handling customer data, and proposes unspecified fines for instances where the hack could reasonably have been avoided if additional precautions had been taken.
These fines will increase in severity depending on how negligent the company has been, the report recommends: “The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”
And it adds: “A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine.”
So if a company has customer data stolen by a sophisticated, nation-state-sponsored attack, then they’re probably not going to be at fault. But if teenage hackers manage to steal data with a simple SQL attack — like TalkTalk — then the penalties should be more severe.
TalkTalk was inadequately prepared, the report says: “Although TalkTalk had run various business continuity exercises, including potential risks like cyber-breaches, TalkTalk had not exercised and planned on how to handle a cyber-attack on this scale.”
The report also argues people who have had their data compromised in a hack of a company should be able to seek financial redress more easily. “We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach,” it says. “There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process.”
Such a move could help customers feel more compensated when their data has been stolen due to a company neglecting cybersecurity. And it could also put a greater financial burden on companies in the aftermath of hacks.
Committee chair Jesse Norman MP said in a statement (emphasis ours):
Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.
As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.
TalkTalk also released its annual report on Monday, describing the breach as a “major challenge for the businesses.” But, it argues, the company has come out at the other end stronger (emphasis ours):
The October 2015 cyber attack was a major challenge for the business. However, it provided valuable insight and evidence that focusing on existing customers yields significant commercial and reputational benefits. As a result of the honesty and openness with which TalkTalk approached the data breach (including the offer of a free upgrade to all customers in recognition of their loyalty), trust in the brand has increased. Customers are now, on average, more willing to trust, and buy more products from TalkTalk, than they were before the attack.
CEO Dido Harding was awarded a £220,000 bonus by TalkTalk for the financial year ending in March 2016. She is donating it to charity, the company’s annual report says.