The TalkTalk cyber hack: City experts respond
City University London experts in Electronic Warfare Studies and Information Science have stressed the need for stronger measures to secure customer information in light of the recent cyber attack on the website of phone and broadband company TalkTalk on 21st October 2015.
In what has been widely regarded as a very serious data breach, the names, telephone numbers, email addresses and addresses, credit card and bank details all 4m of TalkTalk’s customers could have been accessed in unencrypted form.
Professor David Stupples, Professor of Electronic Engineering and Director of Electronic Warfare Studies in the Department of Electrical and Electronic Engineering, says that companies such as TalkTalk have ironically not kept in lock-step with new IT systems - despite being in the business of retailing new mobile phone technology:
“TalkTalk’s investment in new IT has not been spectacular and the company is probably very wary of the costs and levels of disruption involved”.
He explains further that TalkTalk’s current woes have their genesis in “Legacy IT and the difficulties relating to the upgrade or replacement of legacy systems, particularly when it affects customers.". Professor Stupples says TalkTalk relies on a Customer Relationship Management (CRM) system to support its operation and its very many high street/shopping mall outlets, and a universal billing system for collecting revenue. When this system was first developed, CRM and Billing were supported by a single database without any form of encryption.” He notes that before the sophistication of modern cyber attacks, customer data collected by companies such as TalkTalk was protected by access controls, meaning that company employees could only access the data required for the role they were performing. Stating that cyber attacks as we know them today “were in their infancy”, he believes that access to sensitive customer data would have been difficult.
Encrypting data at rest
Over recent years, however, businesses have moved on-line with remote access to sensitive data becoming common place. Sensitive customer data is becoming more visible to hackers and criminals. To have central data encrypted, City’s cybersecurity academic says “a cryptographic key handling problem emerges as so many offices need access.”
Key to TalkTalk or companies of its kind handling sensitive data in professor Stupples’ view, is the encryption of ‘data at rest’, as distinct from ‘data in transit’, which is more securely encrypted:
“TalkTalk should be reminded that it has a duty of care to its customers and so it must move to encrypting data at rest. Account information needs to be separated from more general customer details. This entails a major redesign of CRM and billing. We have seen recent examples of major IT upgrade disasters (RBS and Halifax to name but a few) in which bank customers have been unable to access their salaries and accounts. This has led to costly delays. Most of these upgrades or system replacements have involved the incorporation of encryption to protect customers.”
Dr David Haynes, a Visiting Lecturer in the Department of Library & Information Science, has echoed Professor Stupples’ call for greater encryption of customer data. However Dr Haynes observes that though there is currently no requirement for the Information Commissioner’s Office to report breaches in the security of data, this will become mandatory under new EU Data Protection regulations which are due to come into force in 2016.
Customer Relationship Management (CRM) is a term that refers to practices, strategies and technologies that companies use to manage and analyze customer interactions and data throughout the customer lifecycle, with the goal of improving business relationships with customers, assisting in customer retention and driving sales growth. CRM systems are designed to compile information on customers across different channels -- or points of contact between the customer and the company -- which could include the company's website, telephone, live chat, direct mail, marketing materials and social media. CRM systems can also give customer-facing staff detailed information on customers' personal information, purchase history, buying preferences and concerns.