TalkTalk chief executive Dido Harding has touted a "fundamental change" in how the UK telecommunications firm operates following the significant cyberattack it suffered last year that had an impact on more than 150,000 customers.
When the company was attacked last October, hackers accessed a total of 156,959 customer records, including 15,656 "obscured" bank accounts and sort codes. As the dust settled, a number of arrests were made in the UK – with many of the suspects being teenagers – in a joint operation between the National Crime Agency (NCA) and the Metropolitan Police cyber unit.
Now, following an internal analysis of the firm's cybersecurity capabilities conducted by PWC, TalkTalk is taking steps to bulk up its security and recover some of the 101,000-strong pool of customers it lost as a result of the hacking incident.
According to the Financial Times, the report – which remains mostly confidential due to ongoing police investigations – found that both the firm's data and its computers need to be better secured in future. Furthermore, it highlighted the fragmented structure of the business as a weak point in its security set-up. In response, Harding said the report raised "existential" questions about how the firm was operating at the time of the attack and how it now needs to evolve going forward.
What was lost in the TalkTalk hack?
The firm said:
- The total number of customers whose personal details were accessed is 156,959;
- Of these customers, 15,656 bank account numbers and sort codes were accessed;
- The 28,000 obscured credit and debit card numbers that were accessed cannot be used for financial transactions, and were 'orphaned', meaning that customers cannot be identified by the stolen data.
"[The issue] goes a lot deeper than security," she explained. "TalkTalk's culture is one of a start-up... new services, desire to innovate, move fast. The company has fewer people focused on established systems. The business needs to mature in the way it operates. We are running a much bigger, established business."
"The PwC report does make sobering [reading but] the vast majority of it is relevant to most organisations. Every leader in every business needs to take it seriously. We thought that we had taken security seriously. We were underestimating the challenge.
"The danger is we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one."
After a period of reflection – and heavy government scrutiny – Harding said she has no regrets about how TalkTalk handled the breach. "Being open and honest from day one is one of the best things we have done. TalkTalk was not a highly trusted brand before the cyberattack but customers now say that we looked after them in difficult circumstances," she claimed.
Checks and balances
The statements come following TalkTalk's first financial report of 2016 – which reported the hacking incident cost the firm upwards of £60m ($85m) and revealed a trading impact of £15m alongside 'exceptional costs' totalling a hefty £45m.
However Harding has maintained that, despite the impact of the hack, the financial situation of the firm appears to be stabilising. Indeed, the report revealed that a revenue increase of 1.8% was listed for the final quarter of 2015. "It is encouraging to see the business returning to normal after a challenging quarter that was dominated by the cyberattack," said Harding at the time.