Customer Data & The Key to your Digital Castle
I published an article recently following the TalkTalk customer data breach and received a number of questions from people in my network, outside the security industry, concerned with what their businesses could do better to safeguard their customer's data and avoid finding themselves in a similar situation.
Regardless of the type of attack at TalkTalk, the 'elephant in the room' is that the PII (Personally Identifiable Information) & PCI (Payment Card Industry) data were not being encrypted or tokenised. There is a standard minimum requirement for storing debit/credit card details and it is 'PCI Data Security Standard (DSS)', it's not a new principle and pleading ignorance is not going to cut it with the Security Council.
So how would encryption have helped TalkTalk?
I like to think of it in the sense of a retailer taking their cash box deposits to the bank. In the past, large retailers were becoming subjected to attacks at the end of the business day, so they employed security services to transport their cash to the bank and protect their money.
When the security firms began to be targeted by thieves, the industry innovated a solution by 'inking' the notes within the cash deposit boxes if they were breached without the entry key/code. Why? To act as a deterrent and to render any successful robbery worthless, as the bank notes were indelibly marked and couldn't be cleansed for use. This resulted in less attacks on cash deposit boxes. The deposits were insured and the thieves didn't profit.
Customer data, specifically PII and PCI, are the new cash deposit boxes for unscrupulous robbers with databases being sold for inconceivable amounts of money to an ever willing and sophisticated criminal fraternity. Protecting that customer data within the edge of the corporate network, specifically encrypting data for these sensitive fields, effectively 'inks' the data if it were to leave the control of the enterprise e.g a data breach. The encryption happens within the secure network and the key to decrypt is separately held by a limited number of authorised employees, reducing the threat and minimising risk.
If TalkTalk had used strong encryption across the PII and PCI data they were custodians for, the attackers would have walked away with a list of anonymised data that would be worthless to them, effectively indelibly marked without the encryption key to cleanse the data and make use of it. Let me be clear, this wouldn't have avoided the attack itself in this instance but would have limited the exposure of their customers to credit card fraud and acted as a deterrent for future attacks.
If it could have been protected, why wasn't it?
Typically speaking it's a cost condundrum. What is our cost exposure to a breach (penalties/reputation impact etc) versus the cost of securing the data. In the unregulated industries, the penalties are not significant enough to warrant protecting the data.
Quite simply put, data protection of sensitive information can be a costly practise. It takes time, thought and requires a variety of input from various corporate departments (Risk/legal/privacy/operations/I.T). Companies defer spending on it because of other operational activities that are deemed higher priority; think product innovation, marketing, customer ops etc, and live with the business risk.
From a car owner's standpoint, imagine if car insurance was not a mandatory concern. How many uninsured drivers would be out there taking the risk?
In TalkTalk's case, the gamble didn't pay off. They are one of the few that were effected and they've investment in product, customer service teams and most significantly in advertising will be devalued as their corporate fortress turned out to be a nothing more than a house of cards. They will certainly feel this breach in their pockets, as will the shareholders, with speculation on additional penalties being levied as well as the cost to business this week.
So what happens next?
This will obviously not spell the end to one of the UK's largest communications providers but it will have an impact to confidence in their customer base which I suspect will translate to churn and lost future subscriptions.
As consumers, we happily part with our most sensitive data almost daily, falsely confident in the fact that our service providers are taking reasonable measures to protect us as the custodians of this data. The question many consumers have now is "how safe is my data with this business?"
The unfortunate reality is they just won't know for sure.
The Telecommunications market is a 'Utility' where the perception is competing provider's products are similar, customer service is much of a muchness and cost disparity is at best negligible. Perhaps guarantees over protection of our personal data may become the new corporate service differentiator.
Until that time, purportedly the same time as hell freezes over, keep an eye on the news for the next large scale breach, it will most certainly happen. Let's just hope that our providers have adequately protected our data and kept the keys to the digital castle safe with as much vigour as when they solicit our custom and our data in the first instance.