“It’s the legacy that gets you”, warns ex-TalkTalk boss

Dido Harding urges companies to decommission unsecured legacy systems to avoid a costly data breach

The former CEO of TalkTalk, who witnessed the fallout from the telecom provider's 2015 hack, has issued a stark warning to companies, advising them to invest in decommissioning their legacy technology systems before it's too late.

Speaking at the annual InfoSecurity Europe conference in London, Dido Harding told attendees that if they did not take the time to audit their legacy technology, it may have dire consequences further down the line.

Advertisement - Article continues below

Harding speaks from experience; it was a flaw in a legacy system that caused the catastrophic data breach of TalkTalk's systems in 2015 and led to the theft of 157,000 customers' bank details and personal information, as well as a then-record breaking fine from the ICO of 400,000.

"We were a business that had grown through a lot of acquisitions, and a business that we had bought had bought a business, that had bought a business, that had a legacy website that had an extremely simple SQL injection vulnerability in a legacy website that had not been used in two of those three acquisitions."

TalkTalk failed to properly scan the infrastructure of Tiscali when it bought the company's UK business in 2009, and was unaware that three vulnerable webpages enabled hackers to gain access to a database holding customer information, or that the database version was outdated and out of support. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

According to Harding, the flaw went undiscovered despite penetration testing, security audits and other forms of cyber due diligence being carried out at the time Tiscali was acquired by TalkTalk. "None of us found it. We should have done, but none of us did."

"It is the legacy that gets you," she added. "It's acquisitions and legacy within acquisitions that gets you. And it's business leaders not really hearing from their security experts that they need to spend money in decommissioning the legacy - whether they acquired it or built it themselves. And that's pretty much what happened to us."

Harding also talked in more detail about the infamous hack, including laying out TalkTalk's immediate response to it in more detail. She said that her biggest regret was not informing customers earlier, and reminded attendees that three months after the hack, TalkTalk's customer base reported higher satisfaction and lower churn than it did before.

Advertisement - Article continues below

One of the former CEO's most important takeaways from the hack was that security is a board-level issue, but also that boards are looking at security in the wrong way. Rather than looking at security as a black-and-white, pass-fail metric, boards need to see security as a spectrum of risk.

"The vast majority of boards want to be able to abdicate responsibility by asking their security professionals 'are we ok?'," she said, "and you mustn't let them ask that question."

"If you're running an oil rig, as the chief exec, you wouldn't go 'are we physically OK?'. You'd ask a different question; you'd say 'what are the risks? What are the risks I'm happy to accept, and what are the risks that I'm really worried about that we need to be pushing to mitigate?'"

Advertisement

Recommended

Visit/security/cyber-security/355210/cyber-criminals-torn-over-how-to-adapt-to-post-coronavirus-threat
cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/security/privacy/355211/google-releases-location-data-to-showcase-effectiveness-of-coronavirus
privacy

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020