Show Hide image

Dido Harding: "The first ransom demand was not a good moment"

TalkTalk's Dido Harding speaks candidly to Will Dunn about how she managed every CEO’s nightmare: a cyber attack that compromised 157,000 customer accounts

The hack may have begun weeks or months before – it is still subject to a criminal investigation – but the first telltale warning emerged on the morning of 21 October last year, when TalkTalk’s engineers noticed a latency in the company’s sales and service site. While this is not a rare occurrence, it can be an expensive one.

“A priority-one technical incident,” Harding explains, “because customers couldn’t access the website fast enough. I saw that had happened, mid-morning. Often when websites start running slowly, it’s because they’re under some form of attack.”

Harding returned from a lunch meeting to find the problem ongoing and becoming more serious. “Our escalation process is to immediately put the executive committee together if there’s something very serious. On that call, the team talked us through that there was indeed a live attack and that, at that stage, we believed that the attackers had breached through one defence into an online database.”

It was during this meeting that the true scale of the hack became evident – not from TalkTalk’s security team, but from the hackers themselves. Harding recalls: “Roughly three or four minutes into that call – I was sitting in a meeting room in Farringdon [in central London] – I received the first ransom demand from someone purporting to be the hacker.

“That,” she adds, “was not a good moment. It’s not a normal thing to receive a ransom demand in your inbox. I felt physically sick.”

Due to the ongoing criminal investigation, Harding can’t go into detail about the contents of that email, but she says that “it was very clear that it was credible”. For the chief executive of a national telecoms company with four million customers, there was an immediate necessity: “I asked my security director to get hold of GCHQ, straight away.”

A foreign land

“At that point,” says Harding, “we immediately went into serious incident management. It was very quick; we flipped from a normal business objective to ‘hold on, this is a proper crisis’. That’s a very different prism through which to run your organisation.

“I’ve had 20 years, 25 years of running business. I’ve been well trained by a number of amazing organisations and I’ve got a lot of implicit, subconscious pattern recognition on how to make business decisions. But what we discovered in the cyber attack, from that moment of getting the ransom demand onwards, was that none of us had been prepared to live in this world of spooks. We very quickly started to do what we normally did – to rely on gut instinct – until we realised that our gut instincts were based on having watched Spooks and James Bond.

“You can’t rely on your intuition and your instincts if you don’t have years of pattern recognition, if you haven’t lived in that world before. We had to very quickly rely more on data and evidence, and listen more to the experts from the different security services.

“Likewise, we’d had a long-standing relationship with BAE Systems, who ran our security operations centre, and I was on the phone to multiple board directors – including the chairman – of BAE, asking their advice, because of course they do live in that world. In that sense we knew very quickly that we were in a foreign land.”

One of the defining characteristics of a major cyber attack is uncertainty. “If somebody breaks into your shop,” Harding explains, “you know who it is. If a foreign army has just invaded your shop, it’s pretty visible, and if it’s a local gang, it’s pretty visible. In a cyber attack, in the initial period of knowing you’ve been attacked but not knowing what’s been taken or who’s done the taking, you really genuinely don’t know if you’re in the territory of a state actor – a foreign state – or one individual acting maliciously from inside the business, or a few people from outside. You just don’t know. That makes it terrifying, in the heat of the moment.”

What’s missing?

As the day progressed, GCHQ put the TalkTalk team in touch with the right people at the National Crime Agency and the police. Harding continues: “That afternoon, the case was passed to the Met police, who immediately kicked off their investigation. We’d already taken the decision to bring down all of our systems, which is the safest way to act to protect your customers’ data, so the urgent thing for us, that afternoon, was to work out what might have been stolen.”

As evening drew in, this became a global effort. “We used, that first night, a team from BAE based in the US, so you’re trying to use the time zones in your favour to get analysts and computer programmers immediately mobilised to start looking through lines of code to see what’s happened. [The aim is] that overnight you get to a place where, first thing in the morning, you can have a view of what’s actually been taken.

“I probably slept quite easily on that Wednesday night,” Harding recalls. “I didn’t quite know what was ahead of me. I knew that there was an issue. I knew we had all the right people working on it. I’d had great advice from the law enforcement agencies on what to do, and I was expecting that someone would give me, first thing in the morning, quite a black and white view of what had been stolen and what hadn’t. What I now know is that that was a very naive hope.”

Going public

The following morning brought no such certainty. “At 8am on the Thursday, we had another incident call with the executive leadership team, and they took us through what they knew. What they told us was that it was going to take quite a long time to figure out which customers had been affected and what data had been stolen.”

Harding and her team now faced a difficult decision: try to solve the problem quietly, or go public. “That was the biggest decision we took – if we had chosen not to warn our customers that day, but instead had waited two weeks and said 157,000 customers had been affected – it wouldn’t have been news. The actual number affected was quite small. What was different was that we thought we could protect our customers, at that moment in time, by warning all of them.”

The decision to go public was partly informed by TalkTalk’s knowledge of its customers. “What we suspected then, and we know in spades now, is that having somebody steal your bank account details, in and of itself, isn’t dangerous. The problem is that the criminals then use that data to prey on the most vulnerable in society. That’s not just happening to TalkTalk customers – it’s happening in the UK and globally. The concern we had is that we serve a lot of those most vulnerable groups in society. We’re a value provider – a lot of people getting a broadband connection for the very first time get it from us – and we worried that they would be the most easily conned by these criminals pretending to be TalkTalk.”

Does Harding believe other companies have kept their own data breaches quiet, and avoided the headlines that have plagued TalkTalk for the past year? “I don’t know for sure, but I think so. The awful truth is that the actual data isn’t very valuable on the dark web any more. What is valuable is people being afraid of their brand reputations. So I think this is quite a popular crime, and it’s one of the reasons we think it ought to be mandatory for businesses that experience a successful cyber attack to have to tell not just the Information Commissioner’s Office, but to tell their customers. Not least because it’s actually the only way to give people the confidence to trade online.

“It never used to be mandatory to report health and safety incidents on oil rigs, until after the Piper Alpha disaster. Once it was mandatory to report it, health and safety got a lot better. Once it becomes mandatory to report that you’ve had data stolen, blackmailing you is a waste of time. Blackmailing you to keep quiet – you can’t, because you’ve got a legal obligation to tell everyone.”

While the security team continued to search for answers, Harding focused her other teams on providing TalkTalk’s customers with information. But not everyone was eager to tell the press: “When we talked to the police around lunchtime, they were really adamant that they didn’t want us to go public. We ended up having a long conference call with the Metropolitan police’s hostage negotiation team, where we felt like we were almost from scratch trying to work through whether or not you should treat a digital ransom demand in the same way that you would a physical one.

“[The police] were incredibly rofessional and always very supportive, but in the end, their objective is to catch the bad guys. Our objective was to protect our customers. If I could change anything, I would have gone out at lunchtime or mid-afternoon in a much more measured way. It would have been better for our customers if there had been a more ordered communication through that Thursday afternoon.

“I’ve heard other CEOs since – with me in the room – say that it’s important not to go too soon and to wait until you know the scale. I couldn’t disagree more. If you can protect your customers by warning them of a potential threat, then you should do it.”

The recovery plan

Harding spent the Thursday evening appearing on news outlets. First thing on the Friday morning she was interrogated by “a very grumpy John Humphrys”. In between media appearances, she began planning TalkTalk’s recovery.

“I was setting up the operation of the company to be able to run what became, for several months, the most important thing that the business was doing. I pulled out my group change director on the Thursday night and made him the programme director for the recovery from the cyber attack, and I asked him to mobilise all his best programme managers and project managers, to assign them to workstreams.

“So we had a workstream to work out what data had been stolen, how they got in. We had a workstream for communicating with customers and managing customer contact. There was a big workstream dealing with all the big law enforcement agencies, which we called the ‘cops and robbers’ workstream – jokingly. You need to have a sense of humour to survive these situations.”

A powerful lesson

As the weekend arrived, one of the main priorities was to reassure four million anxious customers. “We started polling our customers, that first weekend, running statistically significant consumer research to understand how they felt about what was going on.

“We tracked whether or not the messages were getting through, and whether or not we were building trust in what we did. What we saw, throughout the first three weeks, was that the more communication we engaged in, the more customers thought we were looking after them. Absolutely contrary to what a lot of commentators at the time were saying, we were using customer insight to drive how we supported our customers. It was such a powerful lesson for the whole company, that if you ask your customers what they think and act on what they tell you, things work out OK.”

Have they worked out OK, then? Is TalkTalk back in control? “That might still be a work in progress,” Harding says. “On the Sunday night after the attack, I scribbled down one slide to present to my board, with three phases: one to two weeks to be off the front pages of the papers and to get the call centres under control. Then we said we were going to take until Christmas to stabilise the business, and a further three months reviewing what this meant for the strategy of the business. That is exactly what we did.”

Harding’s advice for others in this situation is to get involved. “The temptation is to assume that if you’re not an engineer – and I’m not – you don’t really understand this stuff enough to know the risks you’re taking. Businesses and leaders want to ask the question ‘Are we safe now?’, and that is entirely the wrong question to ask, because the only answer you can give is no. No organisation is going to be completely safe from cyber attack.

“You need to ask what risks you’re taking today by trading online, and what risks would you mitigate if you did more, and what risks would grow if you did less. You don’t need a PhD in electronics to do that. So the biggest piece of advice I give to people now is to stop asking ‘Are we safe now?’, and instead get your engineers and technologists to tell you what business risks you’re exposed  to, based on where your security programme is today.

“You’ll find they find it incredibly difficult to answer the question, and the more you push them, the more you will realise you don’t need a computer science degree to understand the answer. And then you are taking business decisions while knowing the risks.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

Investing in a secure future

Increased training and investment in cyber security infrastructure are essential in the digital age.

It is easy to underestimate how crucial the internet is to our everyday lives. It has become an essential tool in the way we communicate with others and conduct business both at home and abroad. More than 1.6m people work in the digital sector or in digital tech roles in the United Kingdom and the internet continues to provide individuals and businesses with huge opportunities.

However, we know that criminals seek to exploit the many benefits of the internet for their own personal gain, often at great expense to others. The WannaCry ransomware attack, which hit the NHS as well as other organisations, highlights the seriousness of the threat and reinforces the need to properly protect ourselves online.

In the recent Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one breach or attack in the last year. Although it is difficult to put an exact figure on how much this cost the UK economy, it is likely to be in the billions.

We are also all too aware of attacks by hostile state actors who look to exploit the UK through intellectual property theft, in order to further their own interests and prosperity. We take these attempts to disrupt our national security very seriously.

That is why this the government set up the National Cyber Security Centre (NCSC), which provides cyber security at a national level. In its first year of being operational, the NCSC responded to 590 significant cyber incidents, more than 30 of which were sufficiently serious to require a cross-government response.

It is not just large organisations and our national infrastructure that are targeted by online criminals; individuals also face the daily threat of being scammed in their own homes. It is now the case that British citizens are 20 times more likely to be defrauded at their computer than mugged in the street.

It is a threat we all face. I strongly believe that we – individuals, businesses and the government – must play our own part to mitigate the risk and ensure that the internet is a safe and secure space for everyone. The government has legislated within the Serious Crime Act 2015 to create a new offence that applies where an unauthorised act in relation to a computer results in serious damage to the economy, the environment, national security or human welfare, or a risk of such damage occurring.

Legislating against online criminality goes some way to tackling the problem; however, close collaboration between the government, business and international partners is essential in combating the increasingly sophisticated attacks that the UK faces.

We work closely with the NCSC, which acts as a bridge between industry and government, providing a unified source of advice and the management of cyber-related incidents. It is at the heart of the government’s 2016 National Cyber Security Strategy, which is supported by £1.9bn of transformational investment to 2021.

Our law enforcement agencies across England and Wales also play a vital role in disrupting the activities of cyber criminals and bringing them to justice. They now operate as a single networked resource with the National Crime Agency (NCA) and Regional Cyber Crime Units using shared intelligence and capabilities. The NCA also has a dedicated Dark Web Intelligence Unit which targets those criminals who exploit hidden areas of the internet.

But we also want people to take their own preventative measures, so that they don’t become a target by criminals operating in the cyber space. We are running a series of campaigns and programmes which aim to encourage individuals and businesses to adopt more secure online behaviours.

Cyber Aware works with over 320 public and private sector partner organisations to encourage us all to take simple steps to protect ourselves online including using a strong, separate password for our email accounts and installing the latest software and app updates on our electronic devices.

The NCSC has also recently launched expert guidance on how small businesses can easily avoid common online breaches and attacks. Should organisations seek to improve their cyber security further, they can get certification through the Cyber Essentials Scheme.

To further support the efforts of SMEs in improving their cyber security, regional cyber crime prevention coordinators engage with businesses and members of the public to provide customised cyber security advice based on the latest technical guidance from the NCSC.

We must also look to the future – we now have a whole generation that have grown up immersed in tech. It is hugely important that we harness their talents and put them to good use rather than letting them wander down a path towards criminal online activities.

We must train and engage with the next generation of cyber security experts and is why the NCSC is taking a leading role in promoting a culture where science and technology subjects can flourish within the education system. Their CyberFirst programme identifies and nurtures young talent through a series of summer workshops and competitions. In addition, their CyberUK 2018 programme focuses on encouraging more women to enter into the technology industry, a sector that is largely seen as male-dominated.

There is a great effort across government and law enforcement to pursue online criminals, prevent
those that are headed on a path towards criminal activity, protect the public and prepare for the many threats we face online. We will continue to invest in law enforcement capabilities at a national, regional and local level to ensure agencies have the capacity to deal with the increasing threat from cyber crime.

However, this is not a threat that we can tackle alone. It is everybody’s responsibility, from top to bottom, to follow the guidance provided and increase their awareness of cyber security in order to create a safe space to communicate and conduct business online.