back to article Ex-CEO on TalkTalk mega breach: It woz 'old shed' legacy tech wot done it

Baroness Dido Harding, former chief exec of Brit telco TalkTalk, warned other business leaders of the dangers posed by legacy tech in the opening keynote of the Infosecurity Europe conference in London. Harding stood by TalkTalk's decision to alert its customers to the company's notorious October 2015 breach the same day it …

  1. Anonymous Coward
    Anonymous Coward

    Talktalk should have read this

    http://www.capacitymedia.com/Article/3732267/After-Hibernia-GTT-adds-another-two-acquisitions

    Acquired customer bases(*) should be moved onto new systems in 3-6 months, not left to rot on their original platforms for 10 years.

    (*) Tiscali, Nildram, Pipex, LineOne, Screaming, Gateway, etc etc

  2. }{amis}{
    FAIL

    Budgeting To Death!

    "There was the IT equivalent of an old shed in a field that was covered in brambles," she said. "All we saw was the brambles and not the open window."

    And the budget for IT to fix these issues was placed by management in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”

    There was no way somebody in IT had not complained regularly about the state of affairs. This sounds like the IT systems of every company I have encountered that treats IT as an overhead to be reduced to absolute minimum.

  3. Dr Who

    The digital deficit is coming to get us

    Banks, telcos, healthcare you name it are all reaching the tipping point where a head in the sand approach to legacy tech has finally come home to roost, as we the illuminati all knew it would. Now that the costs of doing nothing are beginning to outweigh the costs of doing something, we should finally start seeing some action on all those things we've all been telling "them" about for all that time.

    Trouble is, before things get better they will get worse. There is going to be soooo much pain as the band aids are slowly peeled off to reveal the festering decay beneath.

    1. HmmmYes

      Re: The digital deficit is coming to get us

      If a company is using it then its not legacy. Its thats simple.

      Let me rephrase her speech - The management and board were clueless of what systems and processes were in place of the company. Whne things wen to fuck we were clueless. And, to a greater extent, remain clueless.

      Any company where software makes up a greater or lesser extent of its ongoing operations needs to where all the machines are and what software runs on them. And when the whole lots goes out of support.

      1. Valeyard

        Re: The digital deficit is coming to get us

        yeah probably less "legacy" and more "technical debt"

      2. Charlie Clark Silver badge
        Thumb Up

        Re: The digital deficit is coming to get us

        If a company is using it then its not legacy. Its thats simple.

        Have an extra upvote for this. Asserting something is "legacy" is trying to shift the blame. From day one when you own it, it's your responsibility and failing to grasp this was at the heart of the problem. Why did your company not continually invest in keeping its security systems up to date? Why did your company not handle the software of any acquisitions better?

        1. Anonymous Coward
          Anonymous Coward

          Re:muneration committee, directors compensation, etc.

          "Why did your company not continually invest in keeping its security systems up to date? Why did your company not handle the software of any acquisitions better?"

          You'll generally find the answer in the Annual Report to Shareholders, in particular in the section with a heading similar to "Directors Compensation", "Long Term Incentive Programme", or something like that.

          Maybe the Remuneration Committees, industry regulators, etc, who accept that senior management are paid on a different basis to the people doing the real work should also accept that means that senior managers must also be just as responsible for failure. If a job done well means loadsamoney for management, what does a job done badly mean? Work it out.

          If corporate management don't like that concept, that's fine, they lose the prospect of loadsamoney. It's all a bit onesided at the moment, with the customer (and staff) carrying almost all the risk and the 'management' getting all the rewards.

          I think quality of service in general might improve if that kind of thing were to happen.

          Senior managers should carry the same kind of risk that they expect customers and staff to face. Or else.

          1. Ken Moorhouse Silver badge

            Re: Annual Report to Shareholders: Principal Risks and Uncertainties

            Every company should now have Data and Cyber Security (or similar) in the risks & Uncertainties section.

            Extracted from the above (2015) (Published 12th June 2015 according to their site):-

            4. Data and cyber security

            Potential impact:

            Failure to prevent the loss

            or exploitation of personally identifiable or

            commercially sensitive information could

            result in loss of competitive advantage,

            regulatory fines, damage to the brand,

            and ultimately, churn.

            Mitigation:

            The Group continually reviews and seeks best

            practice external guidance on its data and cyber security

            capability and invests in and implements new solutions,

            both to prevent and detect incidents. TalkTalk continues

            to adopt the Ten Steps to Cyber Security as a control

            framework for mitigating key areas of risk.

            Progress is

            monitored via the in house Data Council, which convenes

            monthly and is chaired by the Chief Technology Officer

            (CTO). In FY15, key initiatives including the encryption of

            hardware and removable media, a data loss prevention

            solution, vulnerability scanning and penetration testing

            have been completed.

            A new Head of Security has also

            been appointed to establish and oversee the new

            Security Operations Centre, the activities of which have

            been outsourced to cyber security experts BAe systems.

            ----------

            Extracted from their 2014 Annual Report

            Potential impact:

            Failure to prevent

            the loss or exploitation of personally

            identifiable or commercially sensitive

            information could result in loss of

            competitive advantage, regulatory

            fines, damage to the brand and

            ultimately churn.

            Mitigation:

            The Group continually

            reviews and seeks best practice

            external guidance on its data security

            capability and invests in and implements

            new solutions, both to prevent and detect

            security breaches. In F Y14, there have

            been initiatives including increased

            hardware and removable media

            encryption, further enhancements

            to the Group’s data loss prevention

            capability and roll-out of advanced

            solutions to protect customer credit

            card details. The Group has also adopted

            a ‘Ten Steps to Cyber Security’ programme,

            to increase protection against intrusion

            and attack; improve detection and

            management of breaches; and increase

            protection against loss of personal data.

            The Data Governance Council meets

            monthly to review progress against the

            risk mitigation plans aligned to the Ten

            Steps to Cyber Security.

            (apologies for the abysmal formatting)

  4. Anonymous Coward
    Anonymous Coward

    Ooooops Wrong Dido

    I will go down with this ship

    And I won't put my hands up and surrender

    There will be no white flag above my door

    I'm in love and always will be

    When was the last time a mainframe was hacked?

    1. Anonymous Coward
      Anonymous Coward

      Re: Ooooops Wrong Dido

      The more apt question is whether any company running mainframes (we do) still keeps all of the data SOLELY on the mainframe? The answer quite probably is No if just due to MIPS charges, charge-by-the-byte computing. The more bytes you use the more you pay. "Think of all the money the company will save if we export those data sets to SQL and run a Windows (or Oracle) data warehouse!"

      Hmmm, mainframe MIPS charges kind of sounds like could computing nowadays, huh?

      There's no need to hack a mainframe when the important stuff has been copied to plain old databases for easier no-MIPS-charges data manipulation. Or perhaps even to "the cloud". Or when very simple access controls have been implemented "because they're mainframes and can't be hacked". It wasn't too long ago that a certain mainframe vendor would only allow 8-character-all-upper-case administrative passwords.

      In addition many smaller companies (credit unions, community banks, etc.) do run mainframes while quietly forgetting to mention that those mainframes are in a vendor's hosted environment so they have no idea how they are secured. "We have their SOC1!"...

    2. Anonymous Coward
      Anonymous Coward

      Whatever happened to Fido Dido anyway?

      @Anonymous Coward; I always said that Talk Talk getting Dido in was a disaster in the making- their musical styles are completely different.

      And frankly, she just wasn't that good a drummer.

  5. HmmmYes

    Er... neither SQL or TCP/IP are legacy tech.

    They are 'tech' thats been around and evolved.

    TalkTalk's problem was not legacy tech it was down purely to incompetent management who were clueless to what their systems were.

    1. EnviableOne

      The issue was bad systems integration, the server that was hacked was a relic of the Tiscali takeover

    2. Captain Scarlet Silver badge
      Trollface

      Let me correct that for you

      "TalkTalk's problem was not legacy tech it was down purely to incompetent management who were clueless to what their systems are"

  6. Doctor Syntax Silver badge

    In other words "do as I say, not as I did". AKA being wise after the event.

  7. Teiwaz

    Not sure 'legacy' is the right word

    'Legacy' isn't the right label for a system you couldn't be bothered to secure properly.

    She's just scapegoating some with some word she overheard.

  8. John Smith 19 Gold badge
    Holmes

    "Company boards need to take cybersecurity more seriously, "

    Starting with whatever one's she's currently associated with.

    Let's see if that actually happens, shall we?

    1. Best wat to avoid a tackle! Is not be there>

      Re: "Company boards need to take cybersecurity more seriously, "

      She is now working for the NHS! Did the NHS have any problems recently?

    2. Anonymous Coward
      Anonymous Coward

      Re: "Company boards need to take cybersecurity more seriously, "

      She is now working for the NHS! Did the NHS have any problems recently?

      1. Ken Moorhouse Silver badge

        Re:She is now working for the NHS!

        Atcually this is a very shrewd move by the NHS. The NHS has far too many "customers" at the moment.

  9. adam payne

    Company boards need to take cybersecurity more seriously, Harding concluded, adding that it should be as important as maintenance on oil rigs. Chief execs should get down in the trenches and spend time with the "young stars" of their security teams to learn about risk, she added

    Most company boards have no idea what cybersecurity is and only see IT as an overhead and necessary evil.

    Chief execs getting down into the trenches, never seen that happen.

    So as the then CEO that would made you a Talk Talk board member wouldn't it? Oh I get it, preach what you didn't practice.

    1. Anonymous Coward
      Anonymous Coward

      These are lessons she identified

      "Experience is what you get when you didn't get what you wanted"

  10. HieronymusBloggs

    Old shed

    How many knowledgeable IT staff were shed due to TT's outsourcing plans prior to the breach?

  11. adnim

    Old tech?

    I never usually think code when I hear that term. I think hardware. I guess old code is old tech.

    A successful sql injection attack is dependent on code though not hardware, even if it is old code. <--- read shouldn't have been there in the first place.

    Having said that, I myself have written code I would now be embarrassed to use.

    1. Ken Moorhouse Silver badge
      Thumb Up

      Re: I myself have written code I would now be embarrassed to use.

      Post it on Github, Microsoft might find a use for it.

  12. Anonymous Coward
    Anonymous Coward

    and yet this page is still apparently live...?

    https://www.tiscali-business.co.uk/secure/login.php?goto=%2Fsecure%2Fproduct-information%2Findex.html

  13. JimC

    Possibly legacy tech

    Is the stuff that isn't trendy, you still need, haven't outsourced to India, but all the people who understood it have been made redundant.

  14. Ken Moorhouse Silver badge

    notorious October 2015 breach the same day it was discovered

    I still have the email I sent to talktalk.cashprocessing@talktalkplc.com on the 26th August 2015 advising them of this problem, which was further to a lengthy conversation I had with Divya in that department, trying to get a customer of mine reimbursed for their being hacked.

    I dare say others can beat that date.

  15. Dwarf

    Due diligence and accountability

    Next time do it properly and listen to the technical staff

  16. Anonymous Coward
    Anonymous Coward

    >spend time with the "young stars" of their security teams to learn about risk

    How about instead spending time with the stars of their security teams regardless of their age?

    Its like spending time with the young stars, except you get the more experienced ones who haven't gone stale with age too, and bring something else to the table. I know casual ageism in IT is rife, but surely someone of Dido's level should be at least aware of how she chooses to phrase things correctly.

    Past experience of her activity has suggested she is good at latching onto buzzwords and saying things that she thinks appeases her audience without thinking them through, so I shouldn't really be surprised.

    For the reference I'm approaching 50, and I just passed my CREST CRT, OSCP and I'm currently doing my OSCE :/

    Anon, because I'm not stupid enough to still be putting my age on my CV, so I'll be dammed if I'm going to out myself on social media for this industry.

    1. Anonymous Coward
      Anonymous Coward

      Sounds like you've met her. I've met her, that's exactly how she is, and all the leeches who fell off her and wriggled into senior positions after her glorious and most definitely worthy elevation to NHS Godhood.

      *spits on the ground*

    2. Doctor Syntax Silver badge

      "I'll be dammed if I'm going to out myself on social media for this industry."

      Social media? El Reg? We're anti-social and proud of it. BOFHdom is a thing to aspire to.

  17. Peter X

    The old bramble covered shed analogy

    Pretty sure I could've used that very same analogy. Except, the old bramble covered shed would've represented board, and why companies should "prune" execs that fail to understand how their business actually operates.

  18. steviebuk Silver badge

    So...

    ...business bods are expected to listen to a person who didn't appear to give a shit about security despite said company having been hit before and someone who, it sounds, was clearly cutting IT budgets.

    Bet clueless directors and execs will go away from her talks thinking it was great ignoring the fact massive security breaches happened on her watch that should never have.

    1. Doctor Syntax Silver badge
      Headmaster

      Re: So...

      Bet clueless directors and execs will go away from her talks thinking it was great, ignoring the fact massive security breaches happened on her watch that should never have.

      FTFY. The missing comma changes the sense entirely. But have an upvote for what you meant.

  19. Joeyjoejojrshabado

    She "failed to mention the record £400,000 fine subsequently levied at the firm by the Information Commissioner's Office. El Reg asked Harding whether TalkTalk would have survived had the GDPR been in place at the time."

    The ICO hadn't used the maximum amount available to them at the time so why would a higher ceiling make any difference?

  20. Anonymous Coward
    Anonymous Coward

    Infosecurity Europe conference

    Was she the Comedy Warm-up turn before they got down to serious business ?

    1. tfewster
      Facepalm

      Re: Infosecurity Europe conference

      She was there as warning to others - "Don't be like me". Even abject failure can be monetized.

      P.S. I don't remember any apologies from TalkTalk or Harding? All I recall them saying was that it was a "sophisticated attack".

  21. mwnci

    *At the Crisis Management meeting deep inside the corporate headquarters*

    "So as CEO, the next move is yours, what option should be we do...

    Option A, Blame old legacy systems , but discretely draw a veil around the fact we didn't invest.

    Option B, Blame it on a Nation State / APT, because no one can stop a sophisticated threat, right?

    Option C, Say nothing play for time, hope it all blows over.

    Option D, Pretend we are trying to fix it, and down play the impact even though we aren't sure what's been taken or how?

    Option E, give a PR statement that you haven't taken this seriously and that's why you are in this position, announce a root-cause-analysis, fall on your sword, give up your pay and bonus, apologies to customers.

    Option F, come clean, admit you didn't even know what a cyber attack was until the start of this meeting.

    So what's your decision?

    CEO - "Blame the Autistic kids in IT, go with Option A, and absolve me from any responsibility. Also sack a manager in IT while you are at it, should satisfy the Plebs and get the media off our back.

  22. Tek Nickel

    Some credit is probably due

    I was at the event and have no vested interest in defending Dido Harding but I must provide some balance here.

    I thought she spoke pretty openly about the timeline, gave a personal perspective from someone who has not only been through such a significant breach, but also someone willing to then take a lot of questions from the floor, from an audience of security professionals of all things; something she is not, nor claims to be. She was a CEO and talked about the need for security professionals to continue to 'speak truth unto power' and articulate security as a proactive not reactive measure, as well encourage customer transparency; something she regrets didn't happen sooner.

    So she didn't specifically say sorry so long after an event, in a business which she no longer works for. This would in my view have been a typically trite political tick-box exercise. And perhaps she wasn't made enough of an example of to satisfy some, but in the context of the event and Keynote I thought she deserves a bit more credit that that shown in the comments so far.

  23. Fatman
    FAIL

    RE: Chief execs should get down in the trenches.....

    <quote>Chief execs should get down in the trenches and spend time with the "young stars" of their security teams to learn about risk, she added.</quote>

    FAT CHANCE!!!!!

    Anyone who believes that a C suite is going to 'get down and dirty' with the menial tasks of IT. is in serious need of a psychiatric examination.

    Isn't going to fucking happen. Ivory Tower types do not get dirt on their hands, as it is beneath them.

    1. Anonymous Coward
      Anonymous Coward

      Re: RE: Chief execs should get down in the trenches.....

      "Ivory Tower types do not get dirt on their hands, as it is beneath them."

      Before the world came to rack and ruin because of MBAs and PHBs, some companies were quite happy to be run on the basis of MBWA.

      There's even stuff about MBWA on the Interwebz.

      But if MBWA had ever truly caught on, it would have threatened the salary continuation plans of billions of dollars worth of compensation committees, HR consultants, and various other B-ark parasites. Which obviously isn't allowed in legacy corporate environments, not least because it might ultimately lead to more money to be spent on productive work and productive workers, and less on wasters.

      Never mind, we are where we are.

  24. Anonymous Coward
    Anonymous Coward

    How? Explained...

    The only way Harding keeps escaping censure for her repeated utter incompetence must be because she’s been offering free and easy use of her well-oiled puckered chocolate starfish to every political grandee over 50 for the last decade. It’s not due to her intellect, and certainly not her looks. Back door delivery only for that one, I’m afraid.

  25. Anonymous Coward
    Anonymous Coward

    Going to get nasty

    Dido was a right school over promoted merchandiser who chose to treat technology as a support service for her trading ambitions. They are legion across the CEO world ignorant of he value and risks that the technology that enables their business to sell service contract or financial services and that without it they are without a business. They treat technology like second rate support service "spending their money" cutting costs and budgets at every opportunity and back sliding when something goes wrong. Certainly would not pay to hear a merchandiser talk about security farcical.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like