Euro Security Watch with Mathew J. Schwartz

Data Breach , Governance , Incident Response

TalkTalk Took a Big Bath Over Breach Up to $94 Million in Expenses, Plus 95,000 Lost Customers
TalkTalk Took a Big Bath Over Breach

Here's more evidence how a data breach can have a major financial impact. U.K. telecommunications giant TalkTalk announced last week that its October 2015 breach will likely cost it up to £65 million ($94 million) and has led to the loss of 95,000 customers. That assessment was delivered as part of the company's third quarter financial report, which covers the period from Oct. 1 to Dec. 31 of last year.

See Also: Avoid 75% of all Data Breaches by Keeping Privileged Credentials Secure

The company says it lost an estimated £20 million ($29 million) in revenue while its site was down because new customers couldn't sign up for many types of services. Plus, TalkTalk literally resorted to paying existing customers not to leave by offering free upgrades after it took flak for controversially stating that no customers would be legally permitted to break their existing contracts - for example for mobile phone subscriptions - without paying a penalty, unless they could prove that they had suffered financial damage as a result of the hack. Privacy experts said that proving such damage would likely be impossible.

"TalkTalk literally resorted to paying existing customers not to leave." 

But paying customers to stay didn't come cheap. TalkTalk estimates that the free upgrades, plus the breach remediation itself, cost £40 million to £45 million ($58 million to $65 million). That includes "the exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades," TalkTalk says.

To recap, the company says the breach resulted in 157,000 individuals' personal information being accessed by attackers, including 16,000 bank accounts and related sort codes, plus 28,000 tokenized credit card numbers. British police, as part of their investigation into the hack attack and a related ransom demand, have arrested five suspects, four of whom are teenagers (see TalkTalk Lesson: Prepare for Breaches).

Advanced 'Sequential Attack'

When it came to responding to the breach, TalkTalk initially moved slowly. CEO Diana Mary "Dido" Harding initially said attackers had wielded a "sequential attack" against her company, by which she appeared to mean a SQL injection attack. Many security experts say injection vulnerabilities are easy to spot and eradicate, provided businesses take the time and effort to do so.

TalkTalk CEO Mary "Dido" Harding issues a post-breach mea culpa.

Despite Harding's apparent discomfort in front of the camera, however, she wasn't reluctant to issue mea culpas in media interviews - and via YouTube - over the fact that her company had suffered its third data breach in just 12 months.

The head of the publicly traded company is now attempting to spin its $94 million breach bill as having been not that bad, and portraying the 14 percent of customers who snapped up freebies as being a strong response. "It is encouraging to see the business returning to normal after a challenging quarter that was dominated by the cyberattack," Harding says in a statement. "Our customers have responded well, with almost half a million customers choosing to take up our unconditional offer of a free upgrade."

A TalkTalk spokeswoman tells me that while year-on-year quarterly revenue would have increased by 4.8 percent, breach-related costs ate 3 percent of that increase.

Embarrassing Security Failures

Another surprising - if belated - result of the breach investigation has been the discovery of an apparent scam attack against the company's customers. TalkTalk says in a Jan. 27 blog post that its breach incident-response team uncovered evidence that three employees at India-based Wipro, which provides call center services to TalkTalk, had stolen customers' data and were tied to attempted telephone scam campaigns targeting the telco's customers.

"Acting on information supplied by TalkTalk, the local police [in Kolkata] have arrested three individuals who have breached our policies and the terms of our contract with Wipro," TalkTalk says. "We are also reviewing our relationship with Wipro."

What remains unclear, however, is how many customers will drop TalkTalk once they can leave without paying a financial penalty.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network