On the 23rd October 2015, it became public knowledge that 156,959 TalkTalk customers had their personal data exposed due to the insecure retention of customer records.The breach dealt a major reputational blow to the telecommunications provider, and for many, the company has joined a growing list of brands that are now synonymous with a major breach of personal data.
Approximately four percent of the company’s 4 million-strong customer base were affected by the breach. Most of the victims lost personally identifiable information (PII), rather than financial records. Subsequent analysis revealed that attackers gained access to the bank account numbers and sort codes of 15,656 customers. Aside from the tangible damage, one of the most reported on aspects of the incident was the fact that the security controls in place had been apparently undermined by teenagers.
The TalkTalk breach is notable not only due to the scale of the incident, but because of the perceived inexperience of the perpetrators. A data breach carried out by low-capability outsiders can undermine the trust consumers place in third parties to hold their personal data securely and may also bring into question the quality of any security controls in place.
To put it another way, data theft at this scale is rarely, if ever, the consequence of a single security flaw or failure. They are made possible by cumulative inadequacy – the ignition of multiple vulnerabilities. Similarly, in cases where breaches are not the product of a determined threat actor, but instead of inadvertent human error, it is security controls, checks and balances that dictate the volume of data lost and prevent escalation.
To that end, a mega-breach where millions of records are compromised, comparable to that experienced by Myspace, River City Media or LinkedIn is only possible following systemic failures, a lack of mitigation, and the exploitation of “stacked vulnerabilities”.
Stacked vulnerabilities are the cumulative weight of multiple security flaws which significantly expand the likelihood and scale of a security incident. For instance, sensitive data may be vulnerable if the allocation of administrative privileges are not managed appropriately, particularly where employees who no longer require access to the records continue to do so regardless.
Similarly, when employees are given the opportunity to use personal devices for work purposes, the lack of uniformity can expose critical vulnerabilities in the differing hardware and operating systems. As firms are increasingly keen to obtain personal information for targeted services and marketing, data is being retained more widely, including by unaccountable third parties.
A combination of individual vulnerabilities can become greater than the sum of their parts, leading to situations where simply misplacing a laptop can spiral into a comprehensive data breach.
Stacked vulnerabilities do not appear overnight but are better understood to be a consequence of a corporate culture of retroactively identifying and plugging security gaps after the detection of a breach.
This approach categorically exaggerates financial loss and reputational damage, and will be increasingly unsustainable as regulatory bodies enact penalties against organisations that continually fail to meet their security obligations with heavier fines. For instance, TalkTalk was fined £400000 by the Information Commissioner’s Office (ICO) in October 2016.
The introduction of the General Data Protection Regulation (GDPR) across Europe and the UK from the 21st May 2018 will bring with it a new regulatory framework designed to address the challenges around the retention and processing of sensitive data in the digital age.
Foremost amongst the changes is the 72-hour period in which an organisation must notify the relevant authorities that a breach has occurred, enforceable by €10 million fine that will hopefully convince organisations to proactively establish a robust security posture instead.
It’s not just the business sector that’s grappling with its security obligations.
According to the Breach Level Index, the National Health Service (NHS) is categorised as the third highest organisation to be threatened by a mega-breach in 2017, with approximately 26 million records at risk. The public sector retains vast volumes of our personal data and is consistently under threat from cyber intrusion.
For instance, the United States Office of Personnel Management (OPM) was the target of one of the largest data breaches in US history, with approximately 22 million records stolen in June 2015, including social security numbers and security clearance credentials. Once you factor in the threat posed by organised criminal gangs and capable state-sponsored adversaries that may intend to undermine a public body, the need for a secure defence is immediately apparent. To that end, the threat posed by a mega-breach will always be within the public interest, after all, it is our personal data which will be exposed to resale and reuse in fraudulent activity.
At the time of writing, US credit monitoring agency Equifax has publicly announced that a total of 143 million individual accounts have been compromised, affecting almost half the population of the United States and exposing immediately targetable data including driving licenses, social security and credit card numbers. This data will almost certainly be used for identity theft and targeted phishing attacks against the individuals who have been affected. At this point, there is little recourse – no remediation, class action lawsuit, regulatory action or drop in share price will return the compromised data.
The incident serves as a timely reminder that no organisation is too big to fail and wherever personal information is collected, there is an obligation that the data is securely retained. Only by setting aside time to understand the threats, methodologies and vulnerabilities posed by the cyber threat, is it possible to avert a security incident on the scale of the mega-breach.