Support 100 years of independent journalism.

Talk Talk hack: how safe is our data in the hands of big companies?

The company's CEO told the Sunday Times that customer data “wasn't encrypted, nor are you legally required to encrypt it”.

By Barbara Speed

Last week’s cyber attack on mobile and internet provider Talk Talk has been surrounded by confusion. The company wasn’t sure how many customers’ data was stolen – first, they thought 4m; later, they said 40,000. When the BBC asked CEO Dido Harding if customers’ details had been encrypted (converted into code only crackable by those with the key), she said: “The awful truth is, I don’t know.”

As it turns out, they seem not to have been encrypted. The hackers, who also appear to have issued a ransom demand to the company, probably have access to the names, birth dates, addresses, account information, phone numbers, email addresses, and partial credit card numbers of those 40,000 customers. Alone, these details aren’t enough to leave you financially vulnerable – but various reports suggest the hackers have called up customers and found out their bank details using the details they already had to pose as banks or other businesses. 

So was Talk Talk lax in its security? It’s unquestionable that Harding should have known more about the company’s data security policy, especially as she remains the only company representative to speak out about the breach. But legally, as she told the Sunday Times, companies are not required to encrypt customer details – the Data Protection Act only states that companies must take “appropriate technical and organisational measures” to protect customer data. 

The encryption contradiction 

Harding’s brushing off of the encryption question has not gone down well with customers or commentators. However, Alan Solomon, a computer security expert, argues that, in this case, encryption may have been largely irrelevant. In a blogpost published on Saturday, he writes:

“Data encryption is, in this case irrelevant. Standard practice, is to store sensitive data on an encrypted file system.  That way, if the computer is physically stolen, the data is safe. 

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

“But in a scenario of “authorised user accessing the data”, the encrypted data will be decrypted and supplied, because the authorised user gave the correct decryption key.”

Content from our partners
How to create a responsible form of “buy now, pay later”
“Unions are helping improve conditions for drivers like me”
Transport is the core of levelling up

Solomon is referring to the fact that the hackers seem to have accessed data via an SQL injection, where they used a weakness in the company’s website to access databases. He’s arguing that if you hack into a database by posing as an authorised user, you’ll therefore be able to get around any encryption, too. 

However, the details of the hack still aren’t clear, and encrypted data, is, by definition, more secure than non-encrypted infromation. Joe Sturonas, CTO of smart encryption company PKWARE, says by email:

“I do believe that many companies have only focused on encrypting devices and networks, but have largely avoided encrypting the data itself . . . Encrypting the data means that the data is persistently protected, even if it moves from device to device, and across the network.”

All this depends on how many people have access to encrypted data, and how much of it is encrypted. This is a balance, of course, and one companies are free to strike for themselves, as encryption isn’t required by law. The most worrying aspect of the Talk Talk breach, however, is that the company didn’t seem sure what its policy was, and hasn’t acknowledged that perhaps it should do more than stick to the letter of the law when it comes to protecting customers.