“It’s the legacy that gets you”, warns ex-TalkTalk boss

Dido Harding urges companies to decommission unsecured legacy systems to avoid a costly data breach

The former CEO of TalkTalk, who witnessed the fallout from the telecom provider's 2015 hack, has issued a stark warning to companies, advising them to invest in decommissioning their legacy technology systems before it's too late.

Speaking at the annual InfoSecurity Europe conference in London, Dido Harding told attendees that if they did not take the time to audit their legacy technology, it may have dire consequences further down the line.

Advertisement - Article continues below

Harding speaks from experience; it was a flaw in a legacy system that caused the catastrophic data breach of TalkTalk's systems in 2015 and led to the theft of 157,000 customers' bank details and personal information, as well as a then-record breaking fine from the ICO of 400,000.

"We were a business that had grown through a lot of acquisitions, and a business that we had bought had bought a business, that had bought a business, that had a legacy website that had an extremely simple SQL injection vulnerability in a legacy website that had not been used in two of those three acquisitions."

TalkTalk failed to properly scan the infrastructure of Tiscali when it bought the company's UK business in 2009, and was unaware that three vulnerable webpages enabled hackers to gain access to a database holding customer information, or that the database version was outdated and out of support. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

According to Harding, the flaw went undiscovered despite penetration testing, security audits and other forms of cyber due diligence being carried out at the time Tiscali was acquired by TalkTalk. "None of us found it. We should have done, but none of us did."

"It is the legacy that gets you," she added. "It's acquisitions and legacy within acquisitions that gets you. And it's business leaders not really hearing from their security experts that they need to spend money in decommissioning the legacy - whether they acquired it or built it themselves. And that's pretty much what happened to us."

Harding also talked in more detail about the infamous hack, including laying out TalkTalk's immediate response to it in more detail. She said that her biggest regret was not informing customers earlier, and reminded attendees that three months after the hack, TalkTalk's customer base reported higher satisfaction and lower churn than it did before.

Advertisement - Article continues below

One of the former CEO's most important takeaways from the hack was that security is a board-level issue, but also that boards are looking at security in the wrong way. Rather than looking at security as a black-and-white, pass-fail metric, boards need to see security as a spectrum of risk.

"The vast majority of boards want to be able to abdicate responsibility by asking their security professionals 'are we ok?'," she said, "and you mustn't let them ask that question."

"If you're running an oil rig, as the chief exec, you wouldn't go 'are we physically OK?'. You'd ask a different question; you'd say 'what are the risks? What are the risks I'm happy to accept, and what are the risks that I'm really worried about that we need to be pushing to mitigate?'"

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020
Visit/security/malware/356231/most-malware-came-through-https-connections-in-q1-2020
malware

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020
Visit/security/phishing/356211/phishing-attacks-target-unsuspecting-wells-fargo-customers
phishing

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020
Visit/security/hacking/356210/trump-administration-wants-to-enhance-the-security-of-gov-sites
hacking

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020