Talk Talk hack: how safe is our data in the hands of big companies?

The company's CEO told the Sunday Times that customer data “wasn't encrypted, nor are you legally required to encrypt it”.

NS

Sign Up

Get the New Statesman's Morning Call email.

Last week's cyber attack on mobile and internet provider Talk Talk has been surrounded by confusion. The company wasn't sure how many customers' data was stolen – first, they thought 4m; later, they said 40,000. When the BBC asked CEO Dido Harding if customers' details had been encrypted (converted into code only crackable by those with the key), she said: "The awful truth is, I don't know."

As it turns out, they seem not to have been encrypted. The hackers, who also appear to have issued a ransom demand to the company, probably have access to the names, birth dates, addresses, account information, phone numbers, email addresses, and partial credit card numbers of those 40,000 customers. Alone, these details aren't enough to leave you financially vulnerable – but various reports suggest the hackers have called up customers and found out their bank details using the details they already had to pose as banks or other businesses. 

So was Talk Talk lax in its security? It's unquestionable that Harding should have known more about the company's data security policy, especially as she remains the only company representative to speak out about the breach. But legally, as she told the Sunday Times, companies are not required to encrypt customer details – the Data Protection Act only states that companies must take "appropriate technical and organisational measures" to protect customer data. 

The encryption contradiction 

Harding's brushing off of the encryption question has not gone down well with customers or commentators. However, Alan Solomon, a computer security expert, argues that, in this case, encryption may have been largely irrelevant. In a blogpost published on Saturday, he writes:

"Data encryption is, in this case irrelevant. Standard practice, is to store sensitive data on an encrypted file system.  That way, if the computer is physically stolen, the data is safe. 

"But in a scenario of "authorised user accessing the data", the encrypted data will be decrypted and supplied, because the authorised user gave the correct decryption key."

Solomon is referring to the fact that the hackers seem to have accessed data via an SQL injection, where they used a weakness in the company's website to access databases. He's arguing that if you hack into a database by posing as an authorised user, you'll therefore be able to get around any encryption, too. 

However, the details of the hack still aren't clear, and encrypted data, is, by definition, more secure than non-encrypted infromation. Joe Sturonas, CTO of smart encryption company PKWARE, says by email:

"I do believe that many companies have only focused on encrypting devices and networks, but have largely avoided encrypting the data itself . . . Encrypting the data means that the data is persistently protected, even if it moves from device to device, and across the network."

All this depends on how many people have access to encrypted data, and how much of it is encrypted. This is a balance, of course, and one companies are free to strike for themselves, as encryption isn't required by law. The most worrying aspect of the Talk Talk breach, however, is that the company didn't seem sure what its policy was, and hasn't acknowledged that perhaps it should do more than stick to the letter of the law when it comes to protecting customers. 

Barbara Speed is comment editor at the i, and was technology and digital culture writer at the New Statesman, and a staff writer at CityMetric.