3. 3
• 2003: founded as subsidiary of Carphone Warehouse
• 2006: ‘Free broadband forever’ campaign marred by long
waiting lists, poor service delivery, Advertising Standards
Association (ASA) complaints
• 2010: Dido Harding appointed CEO, demerges, lists
• 2010: company publicly criticised by ICO for intrusive
telephone marketing; discovered to have been incorrectly
billing 65,000+ customers by Ofcom
• 2012: second to market with integrated
TV/broadband/phone/mobile bundle
• Regularly rated amongst the worst UK landline and
broadband service providers
• The company suffers two data breaches earlier in 2015,
and its share price had fallen 30% in the six months prior
to its third breach
TalkTalk – 2003-2015
Source: Ofcom - 2013, Which - 2015
10. 10
• DDoS attack followed by SQL injection by unknown assailant(s) takes down company
website
• TalkTalk updates website homepage to acknowledge attack and within 24 hours notifies
regulators and customers of data breach and appoint external cyber investigators
• With 4 million customers’ data at risk, initial media reports focus on the sources and impact
of the attack
• Hackers then post TalkTalk customer data online and demand ransom, triggering rumours
and media coverage about customer fraud, and raising questions about the company’s
security practices and honesty
• TalkTalk claims attack had not affected ‘core systems’; with customers trying to break their
contracts, the company offers to waive its customer termination fee
• ICO regulatory investigation results in record GBP 400k fine; wide-ranging parliamentary
enquiry into cyber security praises TalkTalk’s ‘strong crisis management response’ but is
critical of its failure to plan properly for a cyber attack of this scale
• Teenager attackers later convicted and jailed
TalkTalk data breach – overview
Source: UK Culture, Media & Sport Select Committee, 2016
11. TalkTalk Data Breach Timeline – Oct/Nov 2015
Oct
21
22 23 24 25 26 27 28 29 30 31 Nov
1
2 3 4 5 6 7 8 9 10
Oct
21
22 23 24 25 26 27 28 29 30 31 Nov
1
2 3 4 5 6 7 8 9 10
Oct
21
22 23 24 25 26 27 28 29 30 31 Nov
1
2 3 4 5 6 7 8 9 10
TalkTalkMedia/socialmediaSharepriceExternalactors
Cyber-attack
Formally raised
in Parliament,
teenage hacker
arrested & bailed
Confirms 21k
customers affected,
28k cards accessed,
1.2m customer
details stolen
Announces 12 months
free credit monitoring
with Noddle
Police launch
criminal investigation,
‘TalkTalk Hackers’
post data to Pastebin
Second
arrest
Confirms 157k customers
affected, 16k customers’ bank
details & 28k ‘orphaned’
customer cards accessed
Publicly confirms
cyber-attack,
notifies ICO
Publishes
update, states
attack not on
‘core systems’
Detects DDoS
attack, takes
down customer
website
Publishes
update, responds
to Police arrest
Publishes update,
announces
termination
fee waiver
House of Commons
Culture, Media & Sport
Committee launches inquiry
Fourth arrestDDoS
attack
The Register
reports website
outage, customer
complaints via
email, social media
Hackers send
ransom to TT CEO
Media/online
speculation on
attack origin
Complaints
about scams
Customer letter distributed
and published on TT website
Customers complain of
poor customer service,
unusual account activity
Coverage of
fraudulent credit
card activity
Senior MP accuses
TT of ‘cover-up’ &
calls for inquiry
Third
arrest
Suspect’s lawyers file privacy suits
against Google, Twitter and
three national newspapers
Widespread negative
reaction to TT confirmation
of unencrypted data
Customers complain
of not being allowed
to terminate contracts
Confirms investigation by specialist cybersecurity firm
11
12. 12
• Unclear nature of attack and motivation of attacker(s)
• High visibility of attack due to its nature, scale and duration, the
perceived quality of TalkTalk’s response, and recent data breaches at
TalkTalk and other companies
• The company’s historic reputation for poor quality product and
customer service and, in the aftermath of the attack, its IT security
• Ongoing rumours and scams involving TalkTalk contribute to fears
about bank account info, rumours about customer fraud, and links to
terrorism
• A skeptical, combative media and blogosphere
• Regulatory, parliamentary and criminal investigations into the attack
• Thin leadership understanding of cybersecurity
• Deepening pressure on TalkTalk’s CEO to resign
Significant reputational challenges
13. 13
• Attack nature and consequences
• Source of attack
• Impact on company operations
• Impact on share price
• Rumours of customer fraud
• Safety of customer bank info
• TalkTalk IT security practices
• Data encryption
• Tiscali integration
TalkTalk data breach – talking points
• Quality of TalkTalk response
• Communications speed and accuracy
of statements re number of
customers impacted and types of
data involved
• Customer termination waiver fee
• IT security fix
• TalkTalk leadership & governance
• CEO visibility, acknowledgement
& apology
• Board cybersecurity knowledge
• Focus on top-line growth to the
detriment of IT security, privacy, etc
29. • Speed and transparency of communications response
• Dido Harding’s visibility, acknowledgement of
responsibility, apology, and empathy during and after
the crisis
• The responsiveness of the company’s social media
team
What went well
29
30. • Sometimes muddled and seemingly evasive nature of statements
regarding the source, timing, size and impact of the breach, and about
the types of data involved, encryption, and contract terminations
• Victimhood claim when the breach was not an isolated incident and
when TalkTalk seen as unprepared and selective with the facts
• Decision to respond initially through the mainstream media, leading
customers to complain of lack of direct communication by TalkTalk
• Need for greater leadership and management knowledge of cyber
attacks, customer security, technology jargon
What could have worked better
30
31. 31
• Strengthen cybersecurity; better understand the link between cybersecurity,
corporate reputation and risk management, and ensure all are board-level
responsibilities
• Prepare a strong cyber/data breach incident response plan, including a multi-
scenario communications plan, and regularly train incident response and crisis
teams in different scenarios
• Ensure communication about customer compensation is clear and timely, and is
understood by customer service
• Provide ongoing cybersecurity awareness education for leadership, employees and
customers
• Build constructive relationships with relevant cybersecurity-related stakeholders
and opinion-formers in advance of an incident/crisis
Implications for TalkTalk