It’s all over the news; TalkTalk was hacked. We’re talking about customers personal information and bank details. So, pretty much their core business – not core function, as it still provides service to 4 million people.
But the worst thing a CEO would ever say when its company is hacked is:
Asked by the BBC whether customers’ bank details had been encrypted by TalkTalk, she said: “The awful truth is, I don’t know”.
Don’t know is not an answer, is lack of responsibility, accountability and serious security issue. Encryption should be on the front page of their security policy in which the CEO should refer to and the answer should be always a redundant yes.
We all know that data today is not an asset, but rather a liability and we should treat customers private and financial information with diligence and respect. Clear text and hashing is not a solution in any security practice for the past 10 years. Encryption is what assures you that if you’ve been hacked and you have secured your keys, then the data hackers have is useless.
While working in Switzerland, me and Tiago Henriques did a reverse-role-play interview with a security candidate and when I asked what he should say to the CEO when he comes to you with the news that they were hacked, he said “lets built a war room first”.
That’s what TalkTalk CEO did. She built a war room to deal with this, but they lack the guns to cope with the subject and worst, they don’t have defences, so instead of building a war room they should be thinking about creating immediately a separate environment that is properly encrypted and move customers data there asap, while leaving forensics to deal with the hack.