LIVE FROM INFOSECURITY EUROPE, LONDON: Dido Harding, former CEO of UK multiplay operator TalkTalk (pictured), warned against failing to decommission legacy systems following M&A, blaming her old company’s lack of action for a devastating data breach in 2015.

Harding told delegates robust systems and immediate honesty with customers were central to protection against attacks, and minimising reputational damage if hit.

During 2015 TalkTalk was the target of one of the largest data breaches in the European telecoms sector, with over 150,000 customers impacted and stinging attacks from officials and the media. Following the incident there was an exodus of customers and its share price dived to a level the operator has never really recovered from.

It was also hit with a then record £400,000 fine from national data regulators.

“The impact was enormous reputationally and financially,” Harding stated and, although she believed the company hadn’t done enough to protect itself before the hack, it was “not a company that didn’t take cybersecurity seriously”.

She added the foundation of the company, built through M&A activity, meant it had inherited a number of old systems, many unused for years but not decommissioned: “It’s the legacy that gets you,” Harding warned.

Reputation
Harding told the audience the biggest risk was reputational, which was her justification for informing customers within hours of the attack through publicity in broadcast media, email and social media.

Although widely criticised for her stance at the time, including by the police, Harding said she believed being “honest about it” was the best way to regain customer trust.

The former executive said three months after the incident TalkTalk’s churn rate was lower than prior to the attack and in its own feedback data more customers stated they would recommend the company to a friend. These metrics, she added, were due to its approach in the immediate aftermath.

However, its improved churn rate and satisfaction rates would have excluded the customer exodus immediately following the incident.

Board battle
Other advice given included: ensuring clear communication channels between executives and technical staff; and ensuring the board are asking the right questions about potential vulnerabilities.

“Cybersecurity is a board decision,” Harding said, adding: “Still no board is asking the right question. Are we OK? The answer is no. None of us can give 100 per cent security. We should be asking what are the risks.”