TalkTalk Hack Underscores How UK PLCs Must Do Better At Protecting Customer Data

Posted by Philip Bindley

Complying with EU laws and regulation is complex, but businesses need to up their game with cybercrime and fraud on the rise.

With a significant and sustained cyber-attack on TalkTalk hitting the headlines, there will undoubtedly be four million extremely concerned customers out there wondering what it means for them.

TalkTalk has been quick to inform customers there was ‘a chance’ data including credit card and bank account details may have been accessed, together with other personal information such as names, addresses and telephone numbers. Reports suggest that not all customer data was encrypted, although TalkTalk was ‘under no legal obligation to do so’.

Nevertheless, many customers have taken to social media to air their frustration with what is the third cyber attack to hit the mobile phone and broadband provider over the past 12 months. In February, the company warned that scammers had obtained account numbers and names from its systems, while last year it had to investigate whether its customer database had been leaked.

Of course, TalkTalk is just one of a growing list of companies to have experienced a data breach. And as TalkTalk’s chief executive, Dido Harding speaking to BBC News pointed out, “unfortunately cybercrime is the crime of our generation” and that to put it into context, “there were 625,000 cyber offences each month in the UK during the summer”.

Compliance challenge                                                                          

In theory, any business holding personal details or managing payment card data should already have the necessary safeguards in place to ensure compliance with EU data privacy laws and the Payment Card Industry Data Security Standard (PCI DSS).

In practice however, the litany of data breaches we’ve seen suggests otherwise. Granted, cybercrime today is big business and hackers are becoming ever more determined and sophisticated in their approach, but the prospect has to be raised that either organisations are too often caught wanting in their remit as custodians of personal data, or that achieving and maintaining compliance is proving too complex a task.

Certainly, any business that stores, processes or transmits payment card data should be compliant to PCI v3.1 at a minimum, since v3.1 of the standard does not come into effect until next year. Yet the complexity of information security best practice frameworks and standards such as PCI DSS also pose a significant challenge.

Established in 2006 to protect cardholder data, PCI DSS is now on its third version and has 12 requirements, over 200 sub-requirements and more than 400 testing procedures. The standard is designed to ensure the security of cardholder data and applies only to those systems and networks that fall within scope, which is dependent on factors such as data flows, network segregation, role performed within the payment cycle and type of services offered.

However, a common issue is that rapid business growth sees a compliant network inadvertently connected to other elements of the business that bring more functions, processes or the wider supply chain into scope. This increases cost and administrative overhead whilst leaving the business struggling to maintain compliance.

Little wonder then, that many firms choose to outsource their PCI requirement. Yet even in choosing to work with an outsourcing provider, there are no guarantees that a business is in fact compliant.

Securing the supply chain

We’ve warned on numerous occasions that there are service providers out there claiming ‘fully compliant Hosting Partner’ status when in reality they’re offering a PCI DSS aligned environment. More importantly, the arrival of PCI v3.0 at the start of this year made it a matter of supply chain management, putting responsibility for compliance on the business itself – irrespective of whether it’s working with a third-party specialist.

Any firm handling payment card data now needs a crystal clear understanding of who is accountable for what in the supplier chain and how remits are defined. Claiming ignorance is not an option. Failure to comply carries the threat of fines of up to £100 per card affected by a breach, as well as higher transaction costs during the time it takes (typically two years) to regain compliant status. That’s why it’s so critical to work with a designated Visa-approved Managed Services Hosting Provider.

At the very least, customers expect the organisations they are dealing with are doing their utmost to protect the personal information they provide during a transaction – irrespective of whether or not they are legally obliged to do so.

What’s more, achieving and maintaining compliance need not be costly or complex. The Bunker for example, offers a PCI compliant environment deployed onto multi-tenanted cloud infrastructure that allows organisations to take advantage of all the benefits that come with a multi-tenanted Cloud service – flexibility, scalability and cost efficiency – delivered under the utility consumption model.

Our PCI Cloud truly breaks new ground. We can validate the controls we have in place to satisfy a Qualified Security Assessor (QSA) and regularly invite auditors and technical experts to ‘look under the hood’ and see how we’ve achieved it. We’ve also harnessed our deep experience in delivering fully compliant PCI DSS solutions to develop a PCI DSS gap analysis and assessment service that ensures a customer’s environment is assessed and scoped correctly from the outset.

We can help you to segregate the network elements and processes necessary to comply with PCI DSS whilst providing you with the flexibility to scale and future proof your environment in the most cost effective way – confident in the knowledge that you are fulfilling your commitment to your customers.

If you have a PCI requirement or are unsure of your current compliance status, please get in touch with one of our experts, or call us for an informal chat on 01304 814800.