When it comes to cybersecurity, the UK public need to wise up or face the consequences. That is one of the many findings of a fresh government report triggered by the TalkTalk data breach last year.
The report, titled 'Cyber Security: Protection of Personal Data Online', is the result of a month-long inquiry into the TalkTalk breach and subsequent handling of the incident by the firm's chief executive Dido Harding.
At the time of the hack, on Friday 23 October, the firm disclosed that customer names, addresses, dates of birth, phone numbers, email addresses, account information, credit card details and bank details had been stolen by cybercriminals.
"There needs to be a step change in consumer awareness of online and telephone scams," the UK government said in the report. "All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible."
For businesses hit by cyberattacks, the government said the UK data watchdog – the Information Commissioner's Office (ICO) – should be able to "introduce a series of escalating fines" based on the lack of attention to threats that led to the breach. "A data breach facilitated by a 'plain vanilla' SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine," it said.
Currently, the ICO can only levy a £1,000 fixed fine against UK firms for failure to report a data breach. This power, the government said, should be strengthened. "The ICO should introduce an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach," the report noted. "There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications."
Interestingly, the report also acknowledged the potential problems caused by the nascent Investigatory Powers Bill – also known as the Snoopers' Charter. During an oral evidence session at parliament, the ICO warned the proposals creates a "haystack of potential problems" due to the massive amounts of extra data firms will be expected to store.
On this, the report noted: "We received evidence from academics who agreed on this point. The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government. Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data."
The Investigatory Powers Bill, which recently progressed in the House of Commons, seeks to grant UK police, intelligence agencies and government with enhanced surveillance capabilities. For UK firms, however, it demands that all communications and internet metadata is stored for a period of 12 months.
Jesse Norman, chairman of the committee, said: "Failure to prepare for or learn from cyberattacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.
"As the TalkTalk case shows, the reality is that cyberattacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds,"
During her evidence to the UK parliament, Dido Harding admitted the firm "underestimated" the threat posed by hackers.
"We thought that we had taken security seriously. We were underestimating the challenge," she said, before promising urgent changes to the business. "The danger is we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one," she said.
In the wake of the breach, TalkTalk said the fallout cost the firm up to £60m ($86m) and resulted in the loss of 101,000 customers. However, most recently it was reported that, despite this, Harding still received £1.8m ($2.6m) in bonuses last year.