IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

“It’s the legacy that gets you”, warns ex-TalkTalk boss

Dido Harding urges companies to decommission unsecured legacy systems to avoid a costly data breach

TalkTalk logo

The former CEO of TalkTalk, who witnessed the fallout from the telecom provider's 2015 hack, has issued a stark warning to companies, advising them to invest in decommissioning their legacy technology systems before it's too late.

Speaking at the annual InfoSecurity Europe conference in London, Dido Harding told attendees that if they did not take the time to audit their legacy technology, it may have dire consequences further down the line.

Harding speaks from experience; it was a flaw in a legacy system that caused the catastrophic data breach of TalkTalk's systems in 2015 and led to the theft of 157,000 customers' bank details and personal information, as well as a then-record breaking fine from the ICO of 400,000.

"We were a business that had grown through a lot of acquisitions, and a business that we had bought had bought a business, that had bought a business, that had a legacy website that had an extremely simple SQL injection vulnerability in a legacy website that had not been used in two of those three acquisitions."

TalkTalk failed to properly scan the infrastructure of Tiscali when it bought the company's UK business in 2009, and was unaware that three vulnerable webpages enabled hackers to gain access to a database holding customer information, or that the database version was outdated and out of support. 

According to Harding, the flaw went undiscovered despite penetration testing, security audits and other forms of cyber due diligence being carried out at the time Tiscali was acquired by TalkTalk. "None of us found it. We should have done, but none of us did."

"It is the legacy that gets you," she added. "It's acquisitions and legacy within acquisitions that gets you. And it's business leaders not really hearing from their security experts that they need to spend money in decommissioning the legacy - whether they acquired it or built it themselves. And that's pretty much what happened to us."

Harding also talked in more detail about the infamous hack, including laying out TalkTalk's immediate response to it in more detail. She said that her biggest regret was not informing customers earlier, and reminded attendees that three months after the hack, TalkTalk's customer base reported higher satisfaction and lower churn than it did before.

One of the former CEO's most important takeaways from the hack was that security is a board-level issue, but also that boards are looking at security in the wrong way. Rather than looking at security as a black-and-white, pass-fail metric, boards need to see security as a spectrum of risk.

"The vast majority of boards want to be able to abdicate responsibility by asking their security professionals 'are we ok?'," she said, "and you mustn't let them ask that question."

"If you're running an oil rig, as the chief exec, you wouldn't go 'are we physically OK?'. You'd ask a different question; you'd say 'what are the risks? What are the risks I'm happy to accept, and what are the risks that I'm really worried about that we need to be pushing to mitigate?'"

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022