Cyber-attack on TalkTalk provides lessons for businesses on how to reduce the risk of a data breach and what to do if one does occurs.

Cyber-attack on TalkTalk provides lessons for businesses on how to reduce the risk of a data breach and what to do if one does occurs.

UK phone provider TalkTalk has suffered a “significant and sustained” cyber-attack on its networks, leading to a significant data breach as customer information has been stolen, reappearing for sale on the dark web. The event reveals the increasingly sophisticated nature of these attacks. The damage has been exacerbated by further opportunist “attacks” on TalkTalk customers through “phishing” and “vphishing”.

At this early stage, we try to identify some of the issues and potential lessons for businesses to consider. We understand the “classic” method of attack, a distributed denial of service (DDoS), was used. TalkTalk’s website was flooded with traffic to the point where it was unable to cope. During the attack, customers’ data was removed. TalkTalk received an extortion demand from a “cyber-jihadist” group for the return of the data.

Examples of major cyber-attacks in the US show their consequences can be dire. The attack on Target Corporation in late 2013 saw an enormous data breach, with 40 million customer credit card details stolen, posted to the Dark Web, and sold to fraudsters for an estimated $50m. The sales, reputation and financial value of Target were severely damaged. Target’s chief executive resigned and other executives were summoned to appear before the US Congress. Target faced penalties estimated at up to $1.1bn. Even in the UK, a data breach can lead to the Information Commissioners Office (ICO) levying fines of up to £500,000 ($770,038).

A key aspect for any business is to ensure they “manage the message” to the public. How much do you say about the extent of the data breach and when do you notify customers and/or ICO? Data breaches are sometimes not discovered until weeks or months after the original hack. This does not appear to be the case for TalkTalk, who have said the data breach is “not as bad as first thought”. It is hoped fraudsters will not be able to access customers’ bank accounts but it seems there have already been follow-up “scams” against customers.

While the impact of the financial and regulatory fallout remains to be seen, parliament will be investigating. Other businesses should consider TalkTalk a wake-up call. DDoS attacks, previously a distant threat faced by large companies based in the US, have arrived in the UK and are here to stay.

Businesses must consider the adequacy of their cyber security technology to withstand DDoS and other forms of cyber-attack. Businesses should test their systems and identify weak spots. The National Crime Agency has published guidance on cyber-crime. Further, businesses should consider enhancing their risk management through suitable cover to alleviate the consequences of a data breach including lost business interruption, reputational damage and claims by customer to name a few. Tailored cyber insurance policies are becoming more widely available.

Finally, UK businesses should not be complacent about the devastation a data breach leaves in its wake. Any business with a website could be next – have you thought about how you will answer the ICO when asked what steps you had in place to prevent a data breach?

This article was first published on 4 November 2015 by Insurance Day.