So now we have our own Target. Details are still sketchy, but it looks as though millions of TalkTalk customers have been thoroughly compromised. From the sound of it, there were some pretty basic failures, including lack of encryption and retention of sensitive data in the same location as everything else. Was this predictable? Of course. Is this an IT failure? Well, yes, but more importantly it’s a corporate governance failure. Charmingly, the chief executive has admitted that ‘in retrospect’ their IT security was inadequate. You think? The question, of course, is how often was she told it was inadequate before the event? Did her Board even ask the question? Brent, Howard, Ian, James and John – I’m looking at you. I wonder whose heads will roll. Who’ll take a fiver on the directors dodging the bullet?
What can we learn from this latest debâcle?
Firstly, that even in V3, PCI-DSS isn’t doing the job. Target was compliant (with V2); I’m making the (possibly erroneous) assumption that TalkTalk were compliant as well. Did the Board take this as sufficient proof of security?
Secondly, that the present legal regime is inadequate. The cost of these breaches falls disproportionately on the consumer, and there is neither a legal duty to disclose promptly, nor a requirement to offer proper assistance to those affected. The penalties – corporate and personal – for this kind of incompetence are laughable.
Thirdly that consumers remain ignorant. Not only do they continue to choose services on price, not on security, they also refuse to listen when it comes to basic self-protection. There was an illuminating comment from a consumer in an article in the Times saying ‘like every other person in the country you go with an account password that’s easy to remember and use it for lots of different things’. Really? Would you be happy if your house and car keys were the same?
So, my tips of the day:
If you’re a business that handles personal information, especially financial details, get serious about security today. Get a properly qualified consultant (CISSP or CISA) to do a full review, and if your non-exec hasn’t been asking searching questions about your preparedness, sack her and get one who will.
If you’re a consumer, for Pete’s sake, stop using Password01 for everything. If you really can’t get your head around passphrases, then here’s a trick for you. Think of a word that’s not obviously connected to you but easy to remember, like ‘chestnut’. Write it using a capital first letter and number substitutions, so that idiot websites that require so-called complex passwords will be happy, and add a special character afterwards. So now we have ‘Ch35tnut!’. This is not your password. This is your ‘salt’. To come up with your password for a specific website, you start with your salt and add the name of the website, or an abbreviation of it that you compose consistently, or the name of the service. So for TalkTalk your password is Ch35tnut!talktalk – or Ch35tnut!broadband – for Virgin it would be Ch35tnut!virgin and so on. It’s not bomb-proof, but it does mean you generate a different password for every site and that the generated password is harder to crack. If you can remember the salt, then you can work out the password without needing to write it down.
Two final things: if a website that needs any personal information imposes a limit on the length of your password that’s less than 16 characters, stop using that site. And when you sign up for a site, always request a password reminder immediately. If they send you an email with your original chosen password in it, in clear, stop using the site and demand that the site owner deletes your account immediately.