TalkTalk hired BAE Systems' infosec bods before THAT hack
Plus: Police told us not to answer questions, says telco
Did you have anybody working in security, Dido?
TalkTalk has continued to keep schtum about how seriously it handled security prior to the breach. What is clear is that the company did not employ a Chief Information Security Officer. Asked who its head of security was at the time of the breach, TalkTalk told The Register only that it could "confirm the three most senior technology roles have been here eight years, five years and four years."
These do not include TalkTalk's head of security, Guy Godfrey, who has only been in his role since February according to his LinkedIn profile.
TalkTalk takes cyber security extremely seriously and we have increased investment in this area by a third over the last three years, including in the last year, creating a new dedicated security function, with additional senior management and increased resource.
This included two new senior roles created in Security and in Risk, and last year we also brought in a new senior hire in Information Security and centralised and upgraded this function.
The qualifications of these hires, and what their roles involved, was not explained. Mystery exists at a junior level too, as TalkTalk was advertising for an infosec officer just a week before the breach.
We don't know whether they managed to fill the role, as TalkTalk refused to comment on individual job roles. It claimed, however, that it had "centralised and strengthened the cyber security function within the business in the last 12 months with several senior hires."
TalkTalk claimed to us that it "constantly reviews and updates the security of our systems using internal and external tools and resource."
After the battle
Of the four Britons arrested in connection with the TalkTalk breach, three were teenagers. All have been bailed until March 2016 and none are believed to be responsible for the ongoing bank account thefts that TalkTalk customers are reporting to The Register.
Whoever the attackers were, the telco claimed they had targeted its TalkTalk.co.uk domain, or its "front of shop" as CEO Dido Harding described it. Typically, this is not where customers' information would have been stored.
Asked to explain this discrepency, TalkTalk responded: "As previously stated, this cyber attack was on our website, accessing databases that contained some customer information inputted via the site. Our core systems remain unaffected. The police have requested we not make any further comment on specific details of the attack."
Asked why business customers were also affected, despite using a different site to interface with TalkTalk, the telco reiterated: "The police have requested we not make any further comment on specific details of the attack."
The Register has contacted the Metropolitan Police's PR department to corroborate whether this was the case, and if so how the police had established a balance between informing those whose details had been stolen of the potential of further attacks and ensuring the integrity of their investigation.
When we asked them if they could shed any light on this, BAE Systems told The Register that "Decisions about the business and what other information they provide are for our client to take." ®
If you've been affected by the TalkTalk hack, please contact us at: firstname.lastname@example.org.
The Register has conducted an Incident Management Review of TalkTalk's contradictory statements following on from its most recent data breach.