A Parliamentary inquiry into the TalkTalk hack has said that telco CEOs' salaries should be garnished if their firms' cyber security practices are lacking.
The report by the Culture, Media and Sport Committee, titled Cyber Security: Protection of Personal Data Online was initiated last November as “an inquiry into cyber-security following the recent attack on TalkTalk's website.”
Its 17 recommendations were published today (PDF), including one linking CEO compensation to effective cyber security.
TalkTalk's CEO Dido Harding, who earned £2.8m last year, offered contradictory and confusing comments following the breach of 21 October, earning her much criticism from affected customers.
The Parliamentary committee's report reflects this, recommending that “CEO compensation should be linked to effective cybersecurity” and also recommended that the Information Commissioner's Office (ICO) “should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”
This will surely be welcomed by Harding, who said last year: "Cyber security is a board level issue, and I am responsible for it."
This was some time after 26 October last year, when Harding claimed the company had been hit by a “sequential attack”, which infosec bod Wim Remes told us was most likely her attempt to claim a SQL injection attack, “an attack vector that has been known for more than a decade.”
The committee recommended: “A data breach facilitated by a 'plain vanilla' SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine.”
While the ICO is still investigating the TalkTalk attack and breach – which is taking time due to what the office refers to as an “international dimension to the investigation” – the committee stated its regret that “some eight months after the breach, customers are no closer to a clear understanding of what happened.”
Although six men were arrested in the UK in connection with the breach – five on suspicion of computer misuse offences, and one on suspicion of blackmail – all are currently on bail and none have been charged.
According to the report, the committee was “also surprised that there is no requirement to make a security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.”
With the EU General Data Protection Regulation also approaching, the committee also said it supported the ICP's “call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.”
Full analysis of the commitee's 17 recommendations will follow shortly on el Reg. ®