mark skilton | Huffington post | 23 october 2015
Personal data is big business for criminals.
Yet another massive data break example, the TalkTalk data breach of "significant and sustained proportions" as quoted from the Chief Executive Dido Harding, is cold comfort for customers, but what lessons must we keep learning?
Large scale data theft is increasingly big business for professional cyber criminals. The value of personal identity data records and account details on the open market is increasingly high value as it can be used in masquerading identity to commit access and theft of other data; or direct access to personal bank account money and fraudulent transactions.
Data breaches of personal identity is a core theme, from JP Morgan bank 76 million households and 7 million small businesses, 80 million personal medical records from Anthem Medical Insurance to 5.6 million fingerprints and 22 million personal records stolen in the U.S. Government OPM data.
It was reported that some of the TalkTalk data was not encrypted, suggesting again lessons not learned on controlling sensitive content. This is another reoccurring theme of data breaches and a lack of strong data controls.
"The latest TalkTalk data breach shows the importance of Digital Trust to major brands in this digital age. As well as the short-term activity of fixing the security vulnerability and improving processes, TalkTalk's major longer-term challenge will be winning back the confidence of its 4 million customers to trust them with personal and financial information, even if those customers don't directly get targeted by the cybercriminals themselves," says Dan Rossner, a digital expert at PA Consulting Group, which regularly see these challenges in company practices.
Minutes, Not Days, Count.
TalkTalk appears to have learned the lesson of quick media response to manage the damage to a reputation. Sony, Target and others had delayed days and weeks to tell customers and that compounded the brand damage. TalkTalk has alerted banks to the theft to try to limit the follow on from the last 24 hours, but this is now too late as it will already be on the move in the cybercriminal community. All that can be done is to rapidly change the "locks" and identity management of the millions affected, but that's not easy of course. Why was this done?
So what can customers do now?
Advice from Stephen Bailey, a cyber security expert at PA, includes these issues:
- If your TalkTalk username is your email address and you use that email/password combo anywhere else, change it immediately wherever you use it. And make your TalkTalk password unique to that site from now on. The attackers nay still be in there!
- Check frequently for odd activity on sites where you used the same TalkTalk log-in credentials. Go back over your online bank account and check for any transactions you don't recognize. Also, check your account details (home address, etc.) are correct.
- Keep watching for reliable news stories about the breach. It will take a while for the full details of how you might be affected to come out.
Mark Skilton is a digital strategy expert at PA Consulting Group