The story of the TalkTalk cyber crisis and the company’s response continues to unfold as we saw inevitable outrage over the week-end with stories galore of customers with “potentially hacked bank accounts” raising a whole new raft of rumours, heating the debate and breeding more noise about what might have happened and just how great the impacts may be.
The story was moved by the CEO (quite cleverly) to the broader focus of “cyber risk is a wider problem the UK needs to face up to and address” with calls for more Government support to tackle cyber crime. A fair appeal and one raised by me in my earlier blog – regulation and control or assurance in this domain is very much required – even though challenging to apply in a reasonable manner.
Now, we see the arrest of a 15 year old boy in Northern Ireland for Computer Misuse Act offences, resulting from a joint PSNI and Metropolitan Police investigation. Strong suggestions he may be the ‘hacker’ abound.
This raises the uncomfortable vision that TalkTalk, a large business by any terms, has been hacked by a 15 year old. Inevitably and rightly, this will spawn further questions as to the adequacy of their security. The challenge for Talk Talk is becoming as much about managing the implications and perceptions as the realities.
As we see this story unfold, so we are seeing just how huge the implications of a cyber attack and data breach are and how difficult it is to gain control of the situation in traditional crisis management style. Creating situational awareness with good information, making decisions and communicating all have uniquely challenging aspects when the intrusion involves personal data and systems few people understand.
TalkTalk is doing almost everything it can now in dealing with the situation as it unfolds but it may continue to twist out of control for a while yet. Cyber response is definitely a scenario that can and should be rehearsed and exercised, particularly at the executive level and from a communications perspective.