In November 2015, four people were arrested in connection with the TalkTalk hack. The case against the accused - initially two 16 year olds, a 15 year old from County Antrim and a man, 20, from Staffordshire - has made progress. The lawyers of the 15 year old are suing three national newspapers, while the others are either awaiting trial or have been released on bail.
Described as a 'wake-up call' by government officials, the hack compromised around four-million of the telecom group's customers. Cybersecurity strategies have been prioritized by a number of companies, but the TalkTalk hack has catapulted companies’ vulnerability to data breaches front and center.
While some have lambasted TalkTalk for taking their customers' information for granted, the group's CEO, Dido Harding, has been quick to defend the company's actions: 'We are understandably the punchball for everybody wanting to make a point at the moment. Nobody is perfect. God knows, we’ve just demonstrated that our website security wasn’t perfect – I’m not going to pretend it is – but we take it incredibly seriously.'
There are, however, lessons which can be learnt from TalkTalk, and the way they handled the situation. The company came under a lot of criticism for not encrypting customer data - considered the first line of defense against hackers, and something they had promised after a previous attack. Not always a guaranteed remedy for attacks - data still has to be processed and therefore decrypted, giving hackers a window of opportunity - but a more stringent approach to security can make the process more challenging.
TalkTalk representatives claimed that they had updated their database in August 2015 amid increased fears of a future hack. This clearly never happened. And now Harding will have to put emphasis on upgrading the company's database and applications to guarantee that all personal information is encrypted. With cybersecurity an issue of real importance, it's important that senior management teams are upfront with their customers so that they feel as comfortable as possible.
It is also down to the Information Commissioner's Office to come down harder on hacks which are caused through negligence. The worst punishment they can dish out is £500,000, a ripple in the ocean for TalkTalk. More severe punishments could act as a deterrent, although the damage caused to company reputation is punishment enough. For smaller companies, however, a financial punishment could have significant consequences.
If the accused turn out to be guilty, it would mean that a group with the average age of 17 were capable of breaching one of the United Kingdom's most prominent telecommunications companies. While it's impossible for an outsider to determine their motive, it's possible that they did it just because they could - or to test their hacking skills. This type of threat is more difficult to guard against because it's unpredictable. But as the evidence shows, TalkTalk should have done more.