“It’s the legacy that gets you”, warns ex-TalkTalk boss

Dido Harding urges companies to decommission unsecured legacy systems to avoid a costly data breach

The former CEO of TalkTalk, who witnessed the fallout from the telecom provider's 2015 hack, has issued a stark warning to companies, advising them to invest in decommissioning their legacy technology systems before it's too late.

Speaking at the annual InfoSecurity Europe conference in London, Dido Harding told attendees that if they did not take the time to audit their legacy technology, it may have dire consequences further down the line.

Harding speaks from experience; it was a flaw in a legacy system that caused the catastrophic data breach of TalkTalk's systems in 2015 and led to the theft of 157,000 customers' bank details and personal information, as well as a then-record breaking fine from the ICO of 400,000.

"We were a business that had grown through a lot of acquisitions, and a business that we had bought had bought a business, that had bought a business, that had a legacy website that had an extremely simple SQL injection vulnerability in a legacy website that had not been used in two of those three acquisitions."

Advertisement - Article continues below

TalkTalk failed to properly scan the infrastructure of Tiscali when it bought the company's UK business in 2009, and was unaware that three vulnerable webpages enabled hackers to gain access to a database holding customer information, or that the database version was outdated and out of support. 

According to Harding, the flaw went undiscovered despite penetration testing, security audits and other forms of cyber due diligence being carried out at the time Tiscali was acquired by TalkTalk. "None of us found it. We should have done, but none of us did."

"It is the legacy that gets you," she added. "It's acquisitions and legacy within acquisitions that gets you. And it's business leaders not really hearing from their security experts that they need to spend money in decommissioning the legacy - whether they acquired it or built it themselves. And that's pretty much what happened to us."

Harding also talked in more detail about the infamous hack, including laying out TalkTalk's immediate response to it in more detail. She said that her biggest regret was not informing customers earlier, and reminded attendees that three months after the hack, TalkTalk's customer base reported higher satisfaction and lower churn than it did before.

One of the former CEO's most important takeaways from the hack was that security is a board-level issue, but also that boards are looking at security in the wrong way. Rather than looking at security as a black-and-white, pass-fail metric, boards need to see security as a spectrum of risk.

"The vast majority of boards want to be able to abdicate responsibility by asking their security professionals 'are we ok?'," she said, "and you mustn't let them ask that question."

"If you're running an oil rig, as the chief exec, you wouldn't go 'are we physically OK?'. You'd ask a different question; you'd say 'what are the risks? What are the risks I'm happy to accept, and what are the risks that I'm really worried about that we need to be pushing to mitigate?'"

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019