TalkTalk plays 'no legal obligation' card on encryption – fails to think of the children (read: its customers)
Morality? We've heard of it!
Comment On Sunday morning, embattled TalkTalk boss Dido Harding crassly stated that her company was under no legal obligation to encrypt customers' sensitive data.
Her brutal – and, some might say, foolish – comment came a day after the budget telco confirmed that some of its subscribers' credit card details had been stolen in a raid on TalkTalk's website last week.
Since then, the company's site has remained offline while a probe from Scotland Yard's cyber cops and data-mining experts from BAE Systems' Applied Intelligence wing – once known as Detica – rifle through TalkTalk's computer systems, hunting for clues and trying to make the whole thing more secure.
But while many may have expressed disgust with Harding's off-colour remarks, it should be noted that current UK data regulations are pretty vague.
The 1998 Data Protection Act only implies that companies should consider encrypting sensitive customer information, but no "explicit" obligation is demanded under UK law.
It's worth looking at the relevant DPA passage in full. It says:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
However, while those technical measures could be interpreted as encryption, there is no suggestion under principle 7 of the DPA that says such action is an explicit requirement.
And it's for this reason that we have Harding making the case for TalkTalk not having to encrypt customer data, just days after the massive attack on the ISP's systems, with an investigation that remains active, while the company's website is still shuttered.
In fact, the ex-jockey and Tory peer has been gambling with her firm's public image for days now. This may be deliberate, though. Harding, perhaps, is attempting to not only own the story by casting TalkTalk as the victim in this crime but also to use current opaque data regulations to wriggle out of being blamed for the security breach.
It's a pretty bold move from a company that claims to pride itself on protecting families from the baddies of this world. For example, TalkTalk was way ahead of the pack on censoring smut, violence and other supposedly challenging material online.
If the past few days have shown us anything beyond the much wider debate about encryption, it's that TalkTalk has failed to spot a flaw in its efforts to be ahead of the media with this story: the company's reputation is in tatters because it seemingly gave no consideration for its moral obligation to its customers. ®
The Register has created a timeline of TalkTalk's contradictory comments following on from the initial announcement of a website outage.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Trusted Platform Module
- Zero trust