British telecommunications company TalkTalk recently went through what every business dreads. Hackers breached their system and stole more than 1 million emails, names and phone numbers, 21,000 bank account numbers, 28,000 debit/credit card numbers and 15,000 customers’ dates of birth. Although these numbers are far lower than initial estimates, the breach will undoubtedly have a significant impact on TalkTalk. In the wake of these events, TalkTalk has taken actions that are being questioned by the public.
On November 6th, TalkTalk confirmed that it had notified all customers who had financial information stolen as a result of the breach. There was no mention of those who had non-financial, personal information stolen. Customers who wish to end their contract with TalkTalk will only have their breach-of-contract fee waived if they have endured a financial loss as a result of the TalkTalk hack that took place on October 21st. Most recently, it was reported that compensation of £30 was given to a victim of the breach who had £3,500 stolen from his bank account.
What action a company takes the aftermath of a breach can be influenced by anything from internal planning to external regulatory requirements on what a company must do in the event of a breach. The practice of notifying customers, partners and other stakeholders is advisable. When this notification should sent, however, is often subjective and varies from company to company. In addition, the benefits and services offered to victims of the breach should protect them from potential further harm or theft and hopefully earn back their trust as a customer.
Aside from individual opinions on TalkTalk’s post-breach actions, the company’s response to one frequently asked question stands out. When asked if customer data is now secure, the company responded:
“We’ve taken steps to secure our website and we constantly review and update our systems to make sure they are as secure as possible. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent.”
There are a number of ways businesses can react in the wake of a major data breach. The steps taken in the case of an emergency of this magnitude can have a major impact on a business’ future. What remains clear, however, is that those organizations that employ security best practices regularly are less likely to find themselves a victim of a breach. By taking action like responding to and remediating vulnerabilities and monitoring network traffic and logs for malicious behavior, businesses can better avoid breaches and the headaches that come along with responding to them all together.