Meet TalkTalk Telecom, Britain's second largest communication supplier. The Company has more than 4 million customers and offers an extensive range of services, including mobile network services, Internet access using fiber optics, telecommunications and pay TV services.
On October 21, 2015, TalkTalk experienced a combined cyber attack. The attack started with decentralized denial-of-service which led to the shutdown of the company's marketing, sales and customer service website. At the same time, the company's databases were hacked (by SQL Injection). The attackers obtained the details of 156,959 customers, including the bank account details and service website access codes of 15,656 customers. The company suspended its E-mail service for 24 hours and shut down the personal zone website of its customers for a number of weeks – which it managed to reinstate to full performance only after about three months.
As a result, the company's sales dropped, as most of its mobile sales to new customers had been done online. According to estimates, the company lost more than 250,000 customers (not including the loss of potential customers as a result of the shutdown of the sales website for the purpose of addressing its information security issues). Additionally, the company received a ransom demand for £80,000 (450,000 ILS).
Initially, it was feared that the attack had been a state-sponsored offensive and that the data of all of the company's customers (about 4 million) were compromised, as a group of hackers assumed responsibility for the attack. After a few days it turned out that the situation was not as bad for Britain, but far worse for the company. British police arrested 5 individuals aged 15-20. One of them, an 18 year-old from Wales, was reported to have been directly involved in the attempt to blackmail the company.
The cyber attack carried out by those boys succeeded in causing the company not just a great deal of embarrassment, but mainly massive damage. The damage caused by the attack was estimated initially at 30-35 million pounds (170-200 million ILS), but the latest estimates refer to almost twice the amount estimated initially – up to 60 million pounds (340 million ILS), which includes such elements as the expenditure associated with the response teams, IT costs, external consultants, forensics, rehabilitation of the company's reputation, credit monitoring, lost sales, free updates and so forth.
TalkTalk had a limited-scope cyber insurance policy. The coverage provided by that insurance was insufficient – about 5 million pounds, according to estimates. This equals only about 8.3% of the total damage. It is important to note that despite the attack, TalkTalk demonstrated positive performance, an increase in profits and in dividends.
The attack against TalkTalk is undoubtedly one of most severe cyber events that took place in Europe. Apparently, cyber security had not been taken very seriously prior to the attack, and the fact that it occurred as it did should constitute a warning light for the global business sector as far as raising awareness and actual commitment to this issue are concerned. The fact that a company of this magnitude could be attacked by young, local players who inflicted a damage of hundreds of millions of dollars, as well as the ability to recover from that such an attack, economically – should serve as a basis for learning and for drawing important lessons.
Competence, Leadership & Transparency
The company's response and the initial problem-solving moves it attempted to make, in a confused and unfocused manner, may indicate that it never had a structured, well-rehearsed emergency plan for dealing with a cyber event of this type. On the day of the attack, the company reported to the enforcement authorities and initiated an internal investigation of the attack. On the following day the company chose to address all of its customers on television, and inform them of the event and how they should conduct themselves because of it. All of this was intended to guarantee maximum distribution of the company's announcement. At the same time, the company's board of directors launched an independent investigation into the attack by an external company.
Baroness Diana Mary "Dido" Harding, the company CEO, who gave numerous interviews to the media following the serious event, dealt bravely and transparently with the severe criticism she sustained. All of her financial reports included details about the attack – far beyond anything we had seen in similar cases, worldwide. Over the course of several days, the CEO came on the air daily, reporting about the recent developments and how the event was being dealt with, including details about the activities the company initiated to minimize the damage to its customers. From one interview to the next during the crisis, Harding looked better, more confident, better informed of the specifics of the event and above all – much more focused on the customer and instilling confidence in the viewers, the listeners and the customers. Such statements as "if we go on doing what's best for our customers, as we have been doing over the last few weeks, we will be judged by our deeds and not by our words," are true, except that they will also be judged for what they had not done prior to the attack.
The Customer is the Primary Concern
Over the course of November 2015, TalkTalk announced several promotions and special offers of upgrading existing packages at no additional cost to customers who had been damaged. These initiatives did not do much good. The company lost 250,000 customers (7%), of whom 40% went to TalkTalk's chief rival, BT. One fifth of the customers who left the company did so as they had lost confidence in it. As the company was not ready with a structured response plan, the upgrading offers caused a great deal of embarrassment. Many customers were unable to leave as they were obliged to pay a fine on the one hand, which raised the company's dissatisfaction index on the other hand. It may be argued that this saved the company from a massive desertion of customers at a time when it needed them to stay more than ever. "I did not choose to stay," said one of the customers, "I was forced to stay." TalkTalk had not only neglected to take the issue of cyber security seriously, which made its customers pay the price –it also failed to compensate them properly.
Baroness Harding, regarded as a business prodigy, was appointed to lead the TalkTalk Telecom Group and improve its performance after it had been in decline since 2009. For this purpose, the company had to reduce its operational expenditure and make extensive manpower cuts. Was cyber security compromised as an outcome of those efficiency improvement processes? According to Baroness Harding, the answer is yes. In the years since then, the company was exposed to at least four significant and widely-publicized cyber events, but the management failed to assign a sufficient degree of importance to those events. This phenomenon should serve as a warning light, especially for the Israeli banking system, which is currently under an obligation to present an efficiency improvement plan in accordance with the demand of the Banking Supervisor, Hedva Bar. According to Bar, "The banks should set forth and present to the Banking Supervision Department a long-term efficiency improvement plan, which is to include clearly-defined interim objectives plus monitoring and supervision of the actual implementation of the plan by the banking corporation's board of directors."
A Threat to the Chain of Supply
Following the attack, TalkTalk initiated comprehensive inspections of its IT systems, including the chain of supply. One of the notable examples is the company's decision to operate an outsourced customer service center. For this purpose, TalkTalk had hired the services of Wipro, an Indian company, which handled 90% of all customer calls. In the context of the inspections, TalkTalk realized that three employees of its service center in India assisted in defrauding customers. These fraud moves had nothing to do with the hack of last October, but the company's need to regain the confidence and trust of its customers made it act even more decisively, openly and resolutely. Late last January, TalkTalk announced that it was considering terminating its association with the Indian company, and the latter might pay a hefty price for the actions of its employees. Apparently, when it rains over the injured party – everyone gets wet.
Business Risk & Occupational Hazard
Cyber warfare is a systemic risk to any organization, without exception, and for this reason it also constitutes an occupational hazard to the managers of those organizations. Some of them will have to cope with attacks that will shake their organizations to the core. But cyber warfare presents a complex and unique risk picture compared to other threats, as it is unpredictable, challenging and difficult to diagnose, relate to and understand, and its indirect effects are normally much more severe than those of direct attacks, owing to such issues as damage to reputation and loss of confidence.
Managers must be familiar with the fundamentals of securing the systems they use. Issues like encryption, proactive security, information sharing, drilling and cyber insurance must not remain mere concepts known only in the context of the internal discourse of the IT divisions. TalkTalk was severely criticized for failing to encrypt customer data according to widely-accepted industry standards. Worse still, the CEO was not even able to say whether the data were encrypted or not, as indicated by her reply to an interviewer's question: "The awful truth is, I do not know."
TalkTalk is a good example of a company that had numerous warning signs, a background of high vulnerability and the potential of sustaining a serious cyber event. The company had been attacked a few times in recent years, while undergoing internal efficiency improvement processes that involved cuts, among other things – in cyber security. This is a clear indication that the company had failed to notice the signs and to take satisfactory protective measure well in advance.
The TalkTalk case should be a warning light for organizations undergoing efficiency improvement processes. These processes are unquestionably essential to the business, but the threats will undoubtedly intensify with the growing dependence on computers, so our task will become more complex – we must find the way to improve the efficiency of our security without reducing it. Involvement on the part of the senior management in cyber security processes is a step in the right direction.
In this context, cyber event preparedness drilling is an excellent tool for managing such events. Drilling means knowing exactly where the weaknesses are in the organization's preparedness for coping with cyber events. Drilling provides an opportunity to improve the organization's ability to effectively identify, manage and contain substantial cyber events and to learn how to minimize business and image damage. A good drilling activity enables an on-going, methodical learning process by population segments that should operate in a coordinated manner. Such a process, properly planned and developed, assists in improving competence and the ability to cope with cyber threats, despite the uncertainty they involve. The TalkTalk case should teach us that as far as cyber security is concerned, deeds are more important than words.
Ram Levi is the founder and CEO of Konfidas, a company of specialists that assists organizations with cyber security planning and drilling. In the past, he served as the secretary of the prime minister's national committee pursuant to the recommendations of which the National Cyber Bureau was established. Today he serves, among other things, as the cyber technology consultant to the National Council for R&D at the Ministry of Science & Technology