It emerged on Wednesday of last week that UK Telecoms company TalkTalk, had been hacked and this latest data breach could potentially expose both personal and bank details of its 4 million customer base.
The company has since went on the offensive, defending its data security and suggesting that it would rank better than its competitors in its systems for managing the safety of the data it holds. If this is the case, I believe UK Telecoms customers should be very concerned for the safety of their personal information! TalkTalk CEO Dido Harding admitted on Thursday that she ‘did not know’ if the data was encrypted. Admittedly data encryption is not the sole method of ensuring data security but the response in itself would not inspire confidence.
IT experts have suggested the data breach was down to SQL injection which is one of the most basic methods of hacking a database (a 15 year-old boy go do this from his bedroom!). Internet security consultants had also contacted TalkTalk in June to inform them that their website was vulnerable to this method of attack but they received a “aggressive, defensive and dismissive” response from the company.
It is perfectly understandable that companies who store personal data may not be familiar with how best to protect it but it is imperative that companies treat this data respectfully and put a plan in place to keep it secure. There are several methods that can be used to prevent basic data breaches and no website in 2015 that stores personal data should be vulnerable to SQL injection attacks.
If you do store personal user data and are unsure if it's secure, I would suggest you employ one of the many internet security firms who can run penetration tests on your website and suggest where you need to make changes. A web developer can then apply the suggestions, which in my experience can be very simple but yet very effective.
There have been calls by several UK agencies in the wake of the TalkTalk news to regulate how data is stored. EU regulation is a long way behind the US in this department and there does not appear to be the will across the continent to tackle this problem which is only going to get worse as hackers get more skilled.
In the absence of regulation, all companies that store user data have an obligation to respect it and get up to speed with basic data security.
If you require any further information on this topic please do not hesitate to contact EchoMedia. We have extensive experience in securing and managing highly sensitive data.