Spotlight 17 November 2016 Dido Harding: "The first ransom demand was not a good moment" TalkTalk's Dido Harding speaks candidly to Will Dunn about how she managed every CEO’s nightmare: a cyber attack that compromised 157,000 customer accounts Sign UpGet the New Statesman's Morning Call email. Sign-up The hack may have begun weeks or months before – it is still subject to a criminal investigation – but the first telltale warning emerged on the morning of 21 October last year, when TalkTalk’s engineers noticed a latency in the company’s sales and service site. While this is not a rare occurrence, it can be an expensive one. “A priority-one technical incident,” Harding explains, “because customers couldn’t access the website fast enough. I saw that had happened, mid-morning. Often when websites start running slowly, it’s because they’re under some form of attack.” Harding returned from a lunch meeting to find the problem ongoing and becoming more serious. “Our escalation process is to immediately put the executive committee together if there’s something very serious. On that call, the team talked us through that there was indeed a live attack and that, at that stage, we believed that the attackers had breached through one defence into an online database.” It was during this meeting that the true scale of the hack became evident – not from TalkTalk’s security team, but from the hackers themselves. Harding recalls: “Roughly three or four minutes into that call – I was sitting in a meeting room in Farringdon [in central London] – I received the first ransom demand from someone purporting to be the hacker. “That,” she adds, “was not a good moment. It’s not a normal thing to receive a ransom demand in your inbox. I felt physically sick.” Due to the ongoing criminal investigation, Harding can’t go into detail about the contents of that email, but she says that “it was very clear that it was credible”. For the chief executive of a national telecoms company with four million customers, there was an immediate necessity: “I asked my security director to get hold of GCHQ, straight away.” A foreign land “At that point,” says Harding, “we immediately went into serious incident management. It was very quick; we flipped from a normal business objective to ‘hold on, this is a proper crisis’. That’s a very different prism through which to run your organisation. “I’ve had 20 years, 25 years of running business. I’ve been well trained by a number of amazing organisations and I’ve got a lot of implicit, subconscious pattern recognition on how to make business decisions. But what we discovered in the cyber attack, from that moment of getting the ransom demand onwards, was that none of us had been prepared to live in this world of spooks. We very quickly started to do what we normally did – to rely on gut instinct – until we realised that our gut instincts were based on having watched Spooks and James Bond. “You can’t rely on your intuition and your instincts if you don’t have years of pattern recognition, if you haven’t lived in that world before. We had to very quickly rely more on data and evidence, and listen more to the experts from the different security services. “Likewise, we’d had a long-standing relationship with BAE Systems, who ran our security operations centre, and I was on the phone to multiple board directors – including the chairman – of BAE, asking their advice, because of course they do live in that world. In that sense we knew very quickly that we were in a foreign land.” One of the defining characteristics of a major cyber attack is uncertainty. “If somebody breaks into your shop,” Harding explains, “you know who it is. If a foreign army has just invaded your shop, it’s pretty visible, and if it’s a local gang, it’s pretty visible. In a cyber attack, in the initial period of knowing you’ve been attacked but not knowing what’s been taken or who’s done the taking, you really genuinely don’t know if you’re in the territory of a state actor – a foreign state – or one individual acting maliciously from inside the business, or a few people from outside. You just don’t know. That makes it terrifying, in the heat of the moment.” What’s missing? As the day progressed, GCHQ put the TalkTalk team in touch with the right people at the National Crime Agency and the police. Harding continues: “That afternoon, the case was passed to the Met police, who immediately kicked off their investigation. We’d already taken the decision to bring down all of our systems, which is the safest way to act to protect your customers’ data, so the urgent thing for us, that afternoon, was to work out what might have been stolen.” As evening drew in, this became a global effort. “We used, that first night, a team from BAE based in the US, so you’re trying to use the time zones in your favour to get analysts and computer programmers immediately mobilised to start looking through lines of code to see what’s happened. [The aim is] that overnight you get to a place where, first thing in the morning, you can have a view of what’s actually been taken. “I probably slept quite easily on that Wednesday night,” Harding recalls. “I didn’t quite know what was ahead of me. I knew that there was an issue. I knew we had all the right people working on it. I’d had great advice from the law enforcement agencies on what to do, and I was expecting that someone would give me, first thing in the morning, quite a black and white view of what had been stolen and what hadn’t. What I now know is that that was a very naive hope.” Going public The following morning brought no such certainty. “At 8am on the Thursday, we had another incident call with the executive leadership team, and they took us through what they knew. What they told us was that it was going to take quite a long time to figure out which customers had been affected and what data had been stolen.” Harding and her team now faced a difficult decision: try to solve the problem quietly, or go public. “That was the biggest decision we took – if we had chosen not to warn our customers that day, but instead had waited two weeks and said 157,000 customers had been affected – it wouldn’t have been news. The actual number affected was quite small. What was different was that we thought we could protect our customers, at that moment in time, by warning all of them.” The decision to go public was partly informed by TalkTalk’s knowledge of its customers. “What we suspected then, and we know in spades now, is that having somebody steal your bank account details, in and of itself, isn’t dangerous. The problem is that the criminals then use that data to prey on the most vulnerable in society. That’s not just happening to TalkTalk customers – it’s happening in the UK and globally. The concern we had is that we serve a lot of those most vulnerable groups in society. We’re a value provider – a lot of people getting a broadband connection for the very first time get it from us – and we worried that they would be the most easily conned by these criminals pretending to be TalkTalk.” Does Harding believe other companies have kept their own data breaches quiet, and avoided the headlines that have plagued TalkTalk for the past year? “I don’t know for sure, but I think so. The awful truth is that the actual data isn’t very valuable on the dark web any more. What is valuable is people being afraid of their brand reputations. So I think this is quite a popular crime, and it’s one of the reasons we think it ought to be mandatory for businesses that experience a successful cyber attack to have to tell not just the Information Commissioner’s Office, but to tell their customers. Not least because it’s actually the only way to give people the confidence to trade online. “It never used to be mandatory to report health and safety incidents on oil rigs, until after the Piper Alpha disaster. Once it was mandatory to report it, health and safety got a lot better. Once it becomes mandatory to report that you’ve had data stolen, blackmailing you is a waste of time. Blackmailing you to keep quiet – you can’t, because you’ve got a legal obligation to tell everyone.” While the security team continued to search for answers, Harding focused her other teams on providing TalkTalk’s customers with information. But not everyone was eager to tell the press: “When we talked to the police around lunchtime, they were really adamant that they didn’t want us to go public. We ended up having a long conference call with the Metropolitan police’s hostage negotiation team, where we felt like we were almost from scratch trying to work through whether or not you should treat a digital ransom demand in the same way that you would a physical one. “[The police] were incredibly rofessional and always very supportive, but in the end, their objective is to catch the bad guys. Our objective was to protect our customers. If I could change anything, I would have gone out at lunchtime or mid-afternoon in a much more measured way. It would have been better for our customers if there had been a more ordered communication through that Thursday afternoon. “I’ve heard other CEOs since – with me in the room – say that it’s important not to go too soon and to wait until you know the scale. I couldn’t disagree more. If you can protect your customers by warning them of a potential threat, then you should do it.” The recovery plan Harding spent the Thursday evening appearing on news outlets. First thing on the Friday morning she was interrogated by “a very grumpy John Humphrys”. In between media appearances, she began planning TalkTalk’s recovery. “I was setting up the operation of the company to be able to run what became, for several months, the most important thing that the business was doing. I pulled out my group change director on the Thursday night and made him the programme director for the recovery from the cyber attack, and I asked him to mobilise all his best programme managers and project managers, to assign them to workstreams. “So we had a workstream to work out what data had been stolen, how they got in. We had a workstream for communicating with customers and managing customer contact. There was a big workstream dealing with all the big law enforcement agencies, which we called the ‘cops and robbers’ workstream – jokingly. You need to have a sense of humour to survive these situations.” A powerful lesson As the weekend arrived, one of the main priorities was to reassure four million anxious customers. “We started polling our customers, that first weekend, running statistically significant consumer research to understand how they felt about what was going on. “We tracked whether or not the messages were getting through, and whether or not we were building trust in what we did. What we saw, throughout the first three weeks, was that the more communication we engaged in, the more customers thought we were looking after them. Absolutely contrary to what a lot of commentators at the time were saying, we were using customer insight to drive how we supported our customers. It was such a powerful lesson for the whole company, that if you ask your customers what they think and act on what they tell you, things work out OK.” Have they worked out OK, then? Is TalkTalk back in control? “That might still be a work in progress,” Harding says. “On the Sunday night after the attack, I scribbled down one slide to present to my board, with three phases: one to two weeks to be off the front pages of the papers and to get the call centres under control. Then we said we were going to take until Christmas to stabilise the business, and a further three months reviewing what this meant for the strategy of the business. That is exactly what we did.” Harding’s advice for others in this situation is to get involved. “The temptation is to assume that if you’re not an engineer – and I’m not – you don’t really understand this stuff enough to know the risks you’re taking. Businesses and leaders want to ask the question ‘Are we safe now?’, and that is entirely the wrong question to ask, because the only answer you can give is no. No organisation is going to be completely safe from cyber attack. “You need to ask what risks you’re taking today by trading online, and what risks would you mitigate if you did more, and what risks would grow if you did less. You don’t need a PhD in electronics to do that. So the biggest piece of advice I give to people now is to stop asking ‘Are we safe now?’, and instead get your engineers and technologists to tell you what business risks you’re exposed to, based on where your security programme is today. “You’ll find they find it incredibly difficult to answer the question, and the more you push them, the more you will realise you don’t need a computer science degree to understand the answer. And then you are taking business decisions while knowing the risks.” › The Brexit nightmare we will soon be unable to ignore Will Dunn is business editor of the New Statesman. Subscribe For more great writing from our award-winning journalists subscribe for just £1 per month!