TalkTalk Breach Fuels Call for Tougher UK LawsStiffer Fines and Compensation for Breach Victims Considered
A third data breach affecting London-based telecommunications provider TalkTalk has prompted sharp questions from U.K. public officials about whether stronger breach notification laws and breach-related penalties might help prevent more such incidents from occurring.
British police have arrested a 15-year-old boy in connection with the latest breach (see: TalkTalk Hack: Police Bust Suspect). The company's apparently poor information security practices have led some British legislators to question whether their country's breach-related protections are strong enough and whether future breach victims should receive direct compensation. "The TalkTalk data leak has put millions of consumers at risk and yet it's still not clear what rights they have," says Chi Onwurah, U.K. Labor party MP and shadow cabinet minister.
But she tells the Guardian that the government's Department of Culture, Media and Sport will soon debate breach notification requirements as well as compensation for victims. "I'm calling for a code of practice to encourage companies to take greater responsibility for data loss so that if an insurer loses your details and you get a hundred calls a week flogging [payment protection insurance] they have to compensate you."
Stronger notification requirements will likely go into effect in the next few years, once the EU Data Protection Directive goes into effect. Likewise, the EU recently adopted a new Directive on Payment Services that includes stronger breach notification requirements, and which will take effect in two years (see TalkTalk Attack Highlights Worldwide Breach Concerns).
Attorney and information law expert Marc Dautlich at U.K.-based law firm Pinsent Masons says TalkTalk has done a good job of coming clean quickly in the wake of its latest breach. "The telecom industry will be urgently grappling with the challenges this latest large-scale data breach flags-up," Dautlich says. "TalkTalk is being very upfront with customers about the scale and significance of the breach. Being straightforward with customers and offering effective guidance about risk control steps will help TalkTalk to limit the impact on both customers and brand."
But TalkTalk is already facing sustained criticism over the three breaches it has suffered this year, which critics see as evidence of poor information security practices. Notably, the latest breach appeared to involve a preventable SQL injection attack, which makes a database spit out stored information, reports security blogger Brian Krebs, citing a single source. The hack apparently was masked with a distributed denial-of-service attack, Krebs reports, and someone behind the attack demanded an Â£80,000 ($123,000) ransom, payable in bitcoins, to not release the stolen data.
TalkTalk acknowledged that it received a ransom request, though it did not disclosed the amount demanded. In its breach notification to customers, the company also says: "Not all of the data was encrypted, but we can confirm that we do not store complete credit card details on the website." It adds that attackers also did not access any customers' account passwords.
The company has not responded to a request for comment about exactly what data it does encrypt, or whether its systems are compliant with the Payment Card Industry Data Security Standard.
Current U.K. data protection regulations require that "appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." But the regulations do not mandate the use of encryption for PII, even though many security experts now recommend that organizations encrypt all PII, given its resale value on cybercrime marketplaces.
Based on the information that was stolen, TalkTalk CEO Dido Harding tells the Financial Times that customers are at risk from scammers. But she has dismissed reports that any TalkTalk customers suffered any related, direct fraud, saying that "it is just factually impossible," given the type of data that was stolen.
Harding also tells the Financial Times that TalkTalk's security operations center is outsourced to BAE Systems, which is continuing to investigate the breach.
Coincidentally or not, the TalkTalk breach occurred just one week after the company advertised that it was "seeking a skilled and highly experienced information security officer to assist with the ongoing program of work to define, promote, achieve and maintain compliance with TalkTalk Information Security Group Policies with a view to reducing the risk of information security compromise," the Register reports.
Will TalkTalk Face Fines?
The U.K. Information Commissioner's Office, which enforces the country's data privacy laws, has confirmed that it's investigating the breach. It has warned all TalkTalk customers to beware of related identity theft attacks.
The ICO uses its ability to impose fines sparingly, and agency officials have continued to stress publicly that they see the agency's role as being less about punishing companies for breaches and more about trying to create a culture focused on prevention. "Not looking after personal details of customers is the fastest way to lose business," Christopher Graham, who heads the ICO, tells the BBC in an interview focused on the TalkTalk breach.
But former U.K. government technology ambassador Simon Moores, who chairs the International e-Crime Congress, believes that the ICO's related enforcement efforts have been "somewhat toothless."
"The Information Commissioner needs to have more powers to reflect the direction of travel ... at a time of rampant identity theft and exploitation of financial details," Moores tells Reuters.
Are Stronger Laws the Answer?
Security experts say European breaches are widespread but underreported because Europe lacks the stronger notification laws found in some other countries, including the United States.
To help cut down on those breaches, many security and privacy experts have long argued that the ICO needs stronger enforcement capabilities and must impose stiffer penalties. Currently, for example, the ICO can fine organizations only up to Â£500,000 ($770,000) when they violate the country's data protection laws. First-time offenders have tended to escape with a warning, or perhaps a small fine, although the ICO in 2013 did slap Sony with a Â£250,000 ($383,000) fine for its 2011 PlayStation Network breach.
But EU data protection commissioners should soon have much greater enforcement-related powers, Steve Durbin, managing director of the Information Security Forum, tells Information Security Media Group. The in-progress reboot of the EU Data Protection Directive likely will enable regulators to fine a company up to 2 percent of its annual gross revenue, up to 100 million euros ($110 million), for any security-related lapses or privacy violations, he says.