WEBVTT 00:00:00.760 --> 00:00:08.590 THE COURT: Order, order. Miss Harding, thank you very much indeed for coming in today. Obviously 00:00:08.590 --> 00:00:13.960 the issue of the hack at TalkTalk is a serious one for your customers and raises quite a lot of 00:00:13.960 --> 00:00:24.850 issues of a wider nature. Can I kick off by asking you who was, at the time of the hack, responsible 00:00:24.850 --> 00:00:31.750 for security within the company that you run? HARDING: Yes, of course. Before I directly 00:00:31.750 --> 00:00:37.420 answer your question, Chairman, could I just begin by apologizing again to all 00:00:37.420 --> 00:00:42.880 of TalkTalk’s customers for the concern and the inevitable uncertainty that this 00:00:42.880 --> 00:00:48.850 event has caused all of them? To answer your question directly, I am accountable 00:00:48.850 --> 00:00:53.549 and responsible for security in the company. I was before this criminal attack and am now. 00:00:53.549 --> 00:01:01.210 THE COURT: But you’re the Chief Executive, Miss Harding. Who is actually line managing 00:01:01.210 --> 00:01:04.510 security within the organization? You can’t have been doing that. You’re running the company. 00:01:04.510 --> 00:01:07.900 HARDING: Well, I actually do think that sub-security is a board level 00:01:07.900 --> 00:01:11.740 issue. As the Chief Executive, I do think it’s appropriate that 00:01:11.740 --> 00:01:15.310 I’m responsible for it and our board takes it very seriously. 00:01:15.310 --> 00:01:16.501 THE COURT: People have to be responsible. The question is who. 00:01:16.501 --> 00:01:22.930 HARDING: Indeed, and if it’s a criminal attack it is entirely possible that none 00:01:22.930 --> 00:01:27.280 of them are responsible for the attack. The question is, 00:01:27.280 --> 00:01:31.150 were they making – was the company, and that’s why I say it really does come back to the Chief 00:01:31.150 --> 00:01:36.880 Executive and the board. Was there sufficient oversight in terms of the security policies, 00:01:36.880 --> 00:01:40.420 the resourcing of the technology team to implement those policies, 00:01:40.420 --> 00:01:45.130 and the knowledge and understanding of best practice? It is a board-level issue rather 00:01:45.130 --> 00:01:50.410 than an individual-level issue below. Companies have to stay safe 100 percent of the time and 00:01:50.410 --> 00:01:56.890 the cyber criminals only have to get lucky once. The way the digital world works, it’s like all of 00:01:56.890 --> 00:02:03.130 your potential cyber criminals worldwide all have access to the equivalent of a Kalashnikov and a 00:02:03.130 --> 00:02:10.950 nuclear bomb because it’s cut-and-paste and sitting in the dark web for free. 00:02:10.950 --> 00:02:13.290 JACK (INTRO): This is Darknet Diaries, 00:02:13.290 --> 00:02:17.880 true stories from the dark side of the internet. I’m Jack Rhysider. 00:02:17.880 --> 00:02:26.890 JACK: Carphone Warehouse is one of the largest mobile phone retail distributors in the UK. In 00:02:26.890 --> 00:02:32.140 the US the equivalent would be like AT Mobile store or a Sprint Mobile store. Except Carphone 00:02:32.140 --> 00:02:38.290 Warehouse just sold phones and weren’t affiliated to any mobile provider. In 2003 that changed and 00:02:38.290 --> 00:02:43.210 they created a mobile carrier called TalkTalk. Now Carphone Warehouse can both sell you the phone and 00:02:43.210 --> 00:02:48.160 the subscription plan for the service. With this combination and the boom of cell phone usage, 00:02:48.160 --> 00:02:52.900 the company grew rapidly. They were opening more stores and either putting their competition out 00:02:52.900 --> 00:02:57.790 of business or buying them. In 2009 Carphone Warehouse bought a competing mobile provider 00:02:57.790 --> 00:03:02.980 called Tiscali UK and merged them into the TalkTalk network. In less than a year Tiscali 00:03:02.980 --> 00:03:08.290 was rebranded to TalkTalk. This also included moving all Tiscali customers to TalkTalk and 00:03:08.290 --> 00:03:14.620 moving any infrastructure under the TalkTalk domain. In 2010 Carphone Warehouse decided to 00:03:14.620 --> 00:03:19.420 split TalkTalk off and have it become its own company. The executives believed this was the 00:03:19.420 --> 00:03:24.760 wise choice to maximize profits in the current market conditions. De-merging TalkTalk away from 00:03:24.760 --> 00:03:28.870 Carphone Warehouse was challenging, though. Imagine trying to split the customer database 00:03:28.870 --> 00:03:34.780 from a single company into two companies. What customers belong in which company? Which servers 00:03:34.780 --> 00:03:40.030 would stay with Carphone Warehouse and which servers would go off with TalkTalk? TalkTalk 00:03:40.030 --> 00:03:44.500 continued to grow rapidly by itself as a mobile service provider in the UK. In 00:03:44.500 --> 00:03:50.410 2014 they had almost 4 million customers. Near the end of 2014, numerous TalkTalk 00:03:50.410 --> 00:03:54.346 customers were getting strange phone calls. Here’s what one of those calls sounded like. 00:03:54.346 --> 00:04:01.450 OPERATOR: My name is Elena okay, calling you from TalkTalk Internet Service Center, your 00:04:01.450 --> 00:04:03.132 internet service provider, okay? 00:04:03.132 --> 00:04:05.617 CUSTOMER: Okay, right, yes. What can I do for you? 00:04:05.617 --> 00:04:12.820 OPERATOR: Yeah, the reason why I give you a call today dear, is just to inform you that 00:04:12.820 --> 00:04:18.250 whenever you are online at a same point of time we are receiving some kinds (inaudible) 00:04:18.250 --> 00:04:23.440 and warning (inaudible) from your server which indicates that your internet is used 00:04:23.440 --> 00:04:29.110 by some different IP address, some different people. Are you aware about this problem? 00:04:29.110 --> 00:04:35.350 CUSTOMER: No. I do not believe you’re calling me from TalkTalk, okay. 00:04:35.350 --> 00:04:35.409 OPERATOR: Sir, listen to me. I have the whole information, 00:04:35.409 --> 00:04:35.460 your name, your address, your city, your post code. 00:04:35.460 --> 00:05:23.920 CUSTOMER: Okay, you tell me that, then. You tell me my name and my post code. 00:05:23.920 --> 00:05:29.185 OPERATOR: And your TalkTalk account number which is very important and very secret. 00:05:29.185 --> 00:05:29.910 CUSTOMER: Okay, you tell me what my TalkTalk address is then, please. 00:05:29.910 --> 00:05:30.238 OPERATOR: Your address is xx City Bridge Road, okay? 00:05:30.238 --> 00:05:30.253 CUSTOMER: Okay. 00:05:30.253 --> 00:05:30.274 OPERATOR: And, hello? 00:05:30.274 --> 00:05:30.316 CUSTOMER: Yes, I’m speaking to you. Yes. 00:05:30.316 --> 00:05:30.354 OPERATOR: And your city is South Glos. 00:05:30.354 --> 00:05:30.369 CUSTOMER: Yeah. 00:05:30.369 --> 00:05:30.385 OPERATOR: Hello? 00:05:30.385 --> 00:05:30.424 CUSTOMER: Yeah, I’m listening to you. 00:05:30.424 --> 00:05:30.510 OPERATOR: And your postal – post word is xxxx Charlie, F as is France, D for Delta, 00:05:30.510 --> 00:05:31.321 U for Umbrella. Okay? And your TalkTalk account number which is very important 00:05:31.321 --> 00:05:35.560 and very secret. Your TalkTalk account number is xxxxxx. This is 00:05:35.560 --> 00:05:37.384 your TalkTalk account number which is very important and very secret. 00:05:37.384 --> 00:05:45.880 JACK: Scam calls are common but what’s really strange about this particular call is that the 00:05:45.880 --> 00:05:51.190 scammer knew all the customer’s details. Those details that were listed were 100 percent correct, 00:05:51.190 --> 00:05:55.660 including the TalkTalk account number. A few customers did get scammed by 00:05:55.660 --> 00:05:59.160 these calls and lost significant money. Here’s one of those victims. 00:05:59.160 --> 00:06:03.010 VICTIM 1: They showed me all kinds of stuff on the computer. Oh, madam, 00:06:03.010 --> 00:06:07.090 it’s lucky that we got hold of you because the computer is a couple of days away from blowing up, 00:06:07.090 --> 00:06:11.740 basically. So they’re spending like an hour grooming you, talking to you, 00:06:11.740 --> 00:06:16.960 befriending you. They’re on your side, they’re helping you out. The cunning part of the plan 00:06:16.960 --> 00:06:22.660 was they got me to take the money out of the bank myself and pass it on, so it doesn’t count 00:06:22.660 --> 00:06:28.100 as a cyber-crime. So I lost £5,200. I might as well have driven a car off the end of a pier. 00:06:28.100 --> 00:06:29.544 JACK: Here’s another victim. 00:06:29.544 --> 00:06:29.637 VICTIM 2: We’ve lost £8,700. They took one lot of £4,900 and a second lot of £3,800. It 00:06:29.637 --> 00:06:57.604 all seemed so genuine. It’s now got to the state that you don’t know who to believe. 00:06:57.604 --> 00:06:57.703 I’m eighty-two and my husband’s eighty-three. We’re not sleeping properly and what’s more, 00:06:57.703 --> 00:06:57.755 I don’t know that I’ll ever trust anybody again. 00:06:57.755 --> 00:07:02.720 JACK: The scam worked like this. [MUSIC] The caller would establish trust with the victim, 00:07:02.720 --> 00:07:06.620 convincing them they are from TalkTalk and only someone from TalkTalk would have their 00:07:06.620 --> 00:07:10.340 account details. The victim would then be told to share their computer screen with 00:07:10.340 --> 00:07:15.560 the caller. The caller would then install malware on their system and then have them 00:07:15.560 --> 00:07:19.580 log-in to their bank account. The caller would either steal money out of their bank account 00:07:19.580 --> 00:07:24.380 directly or show them a false balance on their bank account where the balance was 00:07:24.380 --> 00:07:29.420 significantly higher than expected. The scammer would tell the victim that TalkTalk accidentally 00:07:29.420 --> 00:07:32.900 overpaid them and they need to take this extra money out of their bank account, 00:07:32.900 --> 00:07:37.310 withdraw it, go to MoneyGram or Western Union and send it to the scammer. 00:07:37.310 --> 00:07:43.580 Victims thought they were sending the money back to TalkTalk and doing the right thing. All through 00:07:43.580 --> 00:07:49.010 September, October, and November of 2014, TalkTalk customers complained about these scam calls. 00:07:49.010 --> 00:07:53.960 Because of the volume of complaints that were being raised, TalkTalk decided to look into it. 00:07:53.960 --> 00:08:00.470 They did find something strange. TalkTalk notified the Metropolitan Police and the ICO. The ICO, 00:08:00.470 --> 00:08:05.840 or Information Commissioners Office, is UK’s data protection authority. As a side note, 00:08:05.840 --> 00:08:10.310 the US doesn’t have an official data protection authority. The Federal Trade Commission handles 00:08:10.310 --> 00:08:14.690 some data breaches, but in England and in most of Europe there is an official body of 00:08:14.690 --> 00:08:19.040 government that only deals with information privacy and protection. That is called the 00:08:19.040 --> 00:08:23.960 data protection authority and the ICO is the UK’s data protection authority. They report 00:08:23.960 --> 00:08:28.940 directly to Parliament. Law requires that all telecoms must report security breaches to the 00:08:28.940 --> 00:08:34.700 ICO so TalkTalk begins telling the ICO about the potential data breach. Two months later, 00:08:34.700 --> 00:08:40.120 TalkTalk determines the extent of the data breach and notifies its customers. What TalkTalk found 00:08:40.120 --> 00:08:44.530 is the breach didn’t occur anywhere near their headquarters in London. Instead, the 00:08:44.530 --> 00:08:50.200 theft occurred four thousand miles away. To save millions of dollars, TalkTalk outsourced their 00:08:50.200 --> 00:08:55.870 customer support reps to a company in India called Webpro. The calls centers that Webpro runs are 00:08:55.870 --> 00:09:01.300 massive. They have over five thousand employees working in them. TalkTalk hired Webpro, and… 00:09:01.300 --> 00:09:03.850 EXECUTIVE: We established a new center in Kolkata 00:09:03.850 --> 00:09:09.910 and we ramped to over a thousand staff in just six months. Thank you, Webpro. 00:09:09.910 --> 00:09:14.770 JACK: That’s a clip from before the breach. It’s a TalkTalk executive doing a promotional video 00:09:14.770 --> 00:09:20.680 for Webpro. Each of the one thousand Webpro customer support agents only had access to a 00:09:20.680 --> 00:09:26.230 single TalkTalk user account at a time, but out of the one thousand agents there were forty of 00:09:26.230 --> 00:09:31.240 these people that had elevated access. These may have been supervisors or managers. Their extra 00:09:31.240 --> 00:09:35.920 privileges allowed them to do wild-card searches on the TalkTalk customer database. They could do 00:09:35.920 --> 00:09:41.020 a search for F star and this would get back all names starting with the letter F, but it 00:09:41.020 --> 00:09:46.960 would only show a maximum of 500 results. Three rogue Webpro employees gained access to these 00:09:46.960 --> 00:09:52.480 privileged log-ins. They began harvesting customer accounts out of the TalkTalk database 500 records 00:09:52.480 --> 00:09:58.990 at a time. The data on each account included the name, home address, phone number, and account 00:09:58.990 --> 00:10:06.280 number. In total, 21,000 accounts were harvested out of the TalkTalk database. The rogue Webpro 00:10:06.280 --> 00:10:11.140 employee would put what he had on a USB stick and then go to a party where he knew people who 00:10:11.140 --> 00:10:16.360 worked as phone scammers. He would give them the USB stick and the deal was this; if the scammers 00:10:16.360 --> 00:10:20.860 were successful at conning people out of money, the rogue Webpro employee would get a cut of it. 00:10:20.860 --> 00:10:25.930 One of the big criticisms TalkTalk received from this breach was the way they notified 00:10:25.930 --> 00:10:30.640 their customers. TalkTalk detected this breach in November and notified the ICO then, 00:10:30.640 --> 00:10:35.260 but didn’t notify their customers until February. Customers who were scammed in 00:10:35.260 --> 00:10:39.730 December could have been notified but they weren’t. With the help of an ombudsman, 00:10:39.730 --> 00:10:45.160 TalkTalk did reimburse some of the people who lost money to this scam, but there were also customers 00:10:45.160 --> 00:10:50.590 who were unable to get TalkTalk to pay. TalkTalk proceeded to tell their customers; at TalkTalk we 00:10:50.590 --> 00:10:55.290 take our customers’ security very seriously and we take numerous measures to help keep our customers 00:10:55.290 --> 00:11:01.140 safe. TalkTalk did begin blocking nuisance calls and spam calls and claimed to be one of the only 00:11:01.140 --> 00:11:05.940 telecoms that did block these kind of calls, and they also ran public service ads such as this. 00:11:05.940 --> 00:11:10.860 ADVERT: If you’re at all uncertain about a call, just hang up. Make yourself a cup 00:11:10.860 --> 00:11:16.440 of tea and take some time to think. Finally, call back on your supplier’s official number. 00:11:16.440 --> 00:11:22.080 That’s it. Three simple steps to beat the scammers. TalkTalk. For everyone. 00:11:22.080 --> 00:11:32.700 JACK: Eight months go by. It’s now August 2015 and suddenly three of Carphone Warehouse’s websites 00:11:32.700 --> 00:11:43.800 go down. The websites were onestopphoneshop.com, etosave.com, and mobiles.co.uk. These are popular 00:11:43.800 --> 00:11:48.750 sites where visitors could purchase new cell phones. The next day, Carphone Warehouse sent 00:11:48.750 --> 00:11:53.340 the following letter to its customers. Quote, “Our investigation indicates that some of the 00:11:53.340 --> 00:11:57.330 data held in our systems has been accessed and this may include some of your personal details 00:11:57.330 --> 00:12:02.280 including your name, address, date of birth, and bank details. We take security of your 00:12:02.280 --> 00:12:06.510 data extremely seriously and we have put in place additional security measures to prevent 00:12:06.510 --> 00:12:10.680 further attacks. Nevertheless, we felt it was important to let you know as soon as possible. 00:12:10.680 --> 00:12:15.210 To reduce the risk of fraudulent activity, we recommend you consider taking the following steps: 00:12:15.210 --> 00:12:19.680 notifying your bank and credit card company so they can monitor activity on your account. You 00:12:19.680 --> 00:12:23.250 can check your credit rating and make sure no one has taken a loan out and credit in 00:12:23.250 --> 00:12:28.710 your name. You can do this by visiting Experian or Equifax.” End quote. Carphone Warehouse then 00:12:28.710 --> 00:12:32.580 went on to say that 2.5 million customer records were taken from their database. 00:12:32.580 --> 00:12:38.910 The data in these accounts included customer name, home address, and date of birth. There were 00:12:38.910 --> 00:12:45.540 also 90,000 encrypted credit cards taken in this breach. Out of those 2.5 million customer records, 00:12:45.540 --> 00:12:52.260 480,000 of them were TalkTalk records. The two companies were still in the process of de-merging 00:12:52.260 --> 00:12:57.510 and Carphone Warehouse still had TalkTalk customer data. Because TalkTalk customers were impacted, 00:12:57.510 --> 00:13:03.000 they had to notify the ICO of the breach. Two days before the website went down Carphone Warehouse 00:13:03.000 --> 00:13:07.980 discovered their sites were being hit by a quote, “sophisticated cyber-attack.” End quote. As soon 00:13:07.980 --> 00:13:12.390 as it was detected they took the website down to contain and fix the issue. There are no other 00:13:12.390 --> 00:13:18.570 details about what kind of attack this was or what was hit or how it happened. The CEO of Carphone 00:13:18.570 --> 00:13:23.370 Warehouse, Seb James, issued a written apology to its customers saying, “We take the security 00:13:23.370 --> 00:13:27.660 of customer data extremely seriously. We are very sorry that people have been affected by this.” 00:13:27.660 --> 00:13:36.460 JACK: Three months pass. It’s now October 21, 2015. It’s a Wednesday. On this day, 00:13:36.460 --> 00:13:42.040 the TalkTalk network starts running slow. Some customers report inability to make calls and 00:13:42.040 --> 00:13:50.670 checking e-mail is very slow. Around lunchtime, the TalkTalk website goes down entirely. [MUSIC] 00:13:50.670 --> 00:13:56.760 People couldn’t check e-mail, change account settings, or purchase new services. Social media 00:13:56.760 --> 00:14:02.250 exploded with complaints of the outage. Customers were becoming frustrated. The customer support 00:14:02.250 --> 00:14:16.820 lines were overwhelmed. The website continued to stay down all night long. [MUSIC ENDS] The next 00:14:16.820 --> 00:14:21.140 day TalkTalk said they had been breached and the media immediately started picking up the stories. 00:14:21.140 --> 00:14:26.540 REPORTER: Some breaking news in the last hour. Police are investigating after significant and 00:14:26.540 --> 00:14:32.450 sustained cyber-attack on the website of the company TalkTalk. We actually have the CEO of 00:14:32.450 --> 00:14:36.560 TalkTalk, Dido Harding, here. First of all Dido Harding, how many people are affected? 00:14:36.560 --> 00:14:41.120 HARDING: We don’t know for certain but we’re taking the precaution tonight of 00:14:41.120 --> 00:14:43.070 contacting all four million of our customers. 00:14:43.070 --> 00:14:45.140 REPORTER: But you didn’t – the attack was yesterday. 00:14:45.140 --> 00:14:48.590 HARDING: The attack started yesterday. We brought down all of our websites 00:14:48.590 --> 00:14:53.510 yesterday lunchtime. We spent the last twenty-four hours with the Metropolitan 00:14:53.510 --> 00:14:57.200 Police and various security experts trying to get to the bottom of what has happened. 00:14:57.200 --> 00:15:00.260 REPORTER: But if you don’t know if people’s telephone numbers, 00:15:00.260 --> 00:15:04.490 if their bank accounts and so forth are involved, would it not have been better to 00:15:04.490 --> 00:15:09.185 take the precaution as soon as it started to happen, of telling all your customers? 00:15:09.185 --> 00:15:14.540 HARDING: There are cyber-attacks on every website all the time. In the summer, 00:15:14.540 --> 00:15:18.111 cross England and Wales, there were 625,000 cyber-attacks each month. 00:15:18.111 --> 00:15:19.250 REPORTER: Has it happened at TalkTalk before? 00:15:19.250 --> 00:15:21.290 HARDING: We would receive what’s called 00:15:21.290 --> 00:15:23.810 denial-of-service attacks on our network every week. 00:15:23.810 --> 00:15:26.438 REPORTER: How do you know this one was different? What’s triggered this? 00:15:26.438 --> 00:15:30.020 HARDING: We didn’t at lunchtime yesterday. Lunchtime yesterday, all we knew was that 00:15:30.020 --> 00:15:35.810 our website was running very slowly. It had all the early warning signs of bad guys bombarding 00:15:35.810 --> 00:15:40.220 the website, so that’s why we took the website down. We then needed to actually analyze the 00:15:40.220 --> 00:15:47.690 data in order to identify who – if someone had got in, what data that they had got access to. 00:15:47.690 --> 00:15:50.587 REPORTER: Do you know how much, what the maximum amount of data this cyber-attack has taken? 00:15:50.587 --> 00:15:55.220 HARDING: The precaution we’re taking is to communicate with all of our customers so that 00:15:55.220 --> 00:16:02.390 is the maximum. It’s clearly a material number and because we fear that these 00:16:02.390 --> 00:16:06.920 criminals have access to some customer’s bank details as well as personal details, 00:16:06.920 --> 00:16:10.520 we’re taking the precaution of telling everyone and using, to be honest, 00:16:10.520 --> 00:16:15.230 the good auspices of the BBC tonight to try and reach customers as quickly as we possibly can. 00:16:15.230 --> 00:16:18.080 REPORTER: You’re telling people now, but people’s bank account and details could 00:16:18.080 --> 00:16:19.610 have been compromised since lunchtime yesterday. 00:16:19.610 --> 00:16:24.140 HARDING: They could have been, but I didn’t know. I didn’t have any inkling at lunchtime 00:16:24.140 --> 00:16:29.040 yesterday that that was the case. You have to have a basic amount of information before 00:16:29.040 --> 00:16:34.590 you start communicating. We’ve tried to move absolutely as fast as we can. At the same time, 00:16:34.590 --> 00:16:40.440 in terms of your bank account details being stolen, which is what has happened, 00:16:40.440 --> 00:16:44.070 the risk you take is that that criminal tries to impersonate you. 00:16:44.070 --> 00:16:44.400 REPORTER: Yeah. 00:16:44.400 --> 00:16:47.370 HARDING: So what we’re also doing today is we’re going to be providing all of our 00:16:47.370 --> 00:16:52.110 customers with a year’s free credit monitoring as the best way of ensuring that if somebody 00:16:52.110 --> 00:16:56.700 does try and use that information illegally, you can catch it and that you will be safe. 00:16:56.700 --> 00:17:00.900 JACK: The press release said up to four million user accounts were taken. That’s 00:17:00.900 --> 00:17:06.330 the entire TalkTalk customer base. This may have included names, addresses, date of birth, 00:17:06.330 --> 00:17:12.030 credit card details and bank details, e-mail addresses, telephone numbers, and TalkTalk account 00:17:12.030 --> 00:17:18.180 number. The TalkTalk CEO, Dido Harding, received a ransom letter. The ransom threatened to publish 00:17:18.180 --> 00:17:24.510 the data that was stolen unless they pay $125,000 in Bitcoin. The ransom letter was turned over to 00:17:24.510 --> 00:17:29.670 the police and otherwise ignored. The security teams at TalkTalk worked in shifts around the 00:17:29.670 --> 00:17:34.530 clock to investigate the attack. They first needed to contain it and analyze it to understand the 00:17:34.530 --> 00:17:39.360 scope and then fix the problem so it won’t happen again. What they found is that there was a SQL 00:17:39.360 --> 00:17:43.830 injection done on the website that was formerly part of the Tiscali network. When the competitor 00:17:43.830 --> 00:17:48.270 was bought and merged into TalkTalk an old Tiscali site was overlooked from getting updates. 00:17:48.270 --> 00:17:54.450 In fact, that web server and database had not been patched for three and a half years. Rumors 00:17:54.450 --> 00:17:58.950 also spread that there was a denial-of-service attack on their main website. If there was a 00:17:58.950 --> 00:18:03.600 denial-of-service attack, it was more of a distraction than damaging. One news reporter 00:18:03.600 --> 00:18:07.620 described this attack like setting a fire in the front yard while burglars enter through 00:18:07.620 --> 00:18:11.730 the back door. The TalkTalk security team was having a hard time understanding the 00:18:11.730 --> 00:18:16.830 scope of this intrusion. That’s because there wasn’t one SQL injection that happened. There 00:18:16.830 --> 00:18:22.740 wasn’t two either. There wasn’t just five or even ten. A later report revealed that TalkTalk was 00:18:22.740 --> 00:18:29.190 targeted over 14,000 times in October. Attacks didn’t come from just one location. They came 00:18:29.190 --> 00:18:34.570 from many places around the world. It’s almost as if it was a coordinated attack. Trying to 00:18:34.570 --> 00:18:41.020 sort through the details of 14,000 different attacks was no easy task. Meanwhile customers 00:18:41.020 --> 00:18:44.920 were furious likely because they were tired of hearing about this company being breached. 00:18:44.920 --> 00:18:49.150 This would be the third time in a year that customer records were stolen from TalkTalk. 00:18:49.150 --> 00:18:54.190 People were upset that TalkTalk wouldn’t say what data was accessed, who was impacted, 00:18:54.190 --> 00:18:59.710 whether the data was encrypted or not. Customers were complaining about everything; slow internet 00:18:59.710 --> 00:19:04.810 speeds, disconnected calls, increased number of scams. A flurry of complaints hit social 00:19:04.810 --> 00:19:09.370 media. People were accusing TalkTalk of being negligent of the data and astonished that 00:19:09.370 --> 00:19:14.080 TalkTalk didn’t know more details. Rumors were everywhere. One rumor was that Islamic 00:19:14.080 --> 00:19:18.730 extremists were claiming responsibility for the hack. Another said Russian dissidents had taken 00:19:18.730 --> 00:19:23.590 responsibility. Another rumor was some customers were claiming fraudulent purchases seen on their 00:19:23.590 --> 00:19:27.910 credit cards. Many people were confused about the details and mixing up previous breaches 00:19:27.910 --> 00:19:32.380 with this one. In the days after the breach it was difficult and almost impossible to figure 00:19:32.380 --> 00:19:37.390 out what information was true and what was just rumor. The CEO was aware of the massive amount 00:19:37.390 --> 00:19:41.140 of complaints that were going on and four days later, had a new message for everyone. 00:19:41.140 --> 00:19:45.040 HARDING: I know it’s been a worrying and frustrating time for customers since the 00:19:45.040 --> 00:19:50.500 cyber-attack on TalkTalk’s website on Wednesday. Right from the start we’ve done everything we can 00:19:50.500 --> 00:19:54.940 to get to the bottom of what happened as soon as possible and to keep you updated along the 00:19:54.940 --> 00:19:59.980 way. The Met Police’s criminal investigation and our own internal one are still ongoing, 00:19:59.980 --> 00:20:05.380 but I hope I can now provide some reassurance to customers by telling you that the findings 00:20:05.380 --> 00:20:10.240 so far show that the number of customers affected and the amount of data potentially 00:20:10.240 --> 00:20:16.750 stolen is smaller than originally feared. In fact, our website, our shop front, if you like, 00:20:16.750 --> 00:20:23.410 was attacked but our core systems weren’t. We don’t store unencrypted credit card data on our 00:20:23.410 --> 00:20:29.170 site. Any credit card info which may have been stolen has the six middle digits blanked out and 00:20:29.170 --> 00:20:36.310 can’t be used for financial transactions. No My Account passwords have been stolen and no 00:20:36.310 --> 00:20:40.510 banking details were taken that you wouldn’t already be sharing when you write a check or 00:20:40.510 --> 00:20:46.600 give to someone so they can pay money into your account. I hope we can provide more reassurance 00:20:46.600 --> 00:20:52.480 soon. In the meantime, please do take advantage of the free credit monitoring service we’ve set 00:20:52.480 --> 00:20:58.180 up with one of the main credit checking agencies, Noddle. You can sign up using the code TT231. 00:20:58.180 --> 00:21:05.530 JACK: Two weeks later, TalkTalk announced exactly what had been taken. 156,000 user 00:21:05.530 --> 00:21:11.620 records including customer name, date of birth, and address. 15,000 bank account numbers and 00:21:11.620 --> 00:21:18.910 sort codes, and 28,000 partial credit cards. None of this data was encrypted. Customers 00:21:18.910 --> 00:21:22.750 continued to be furious with TalkTalk and began cancelling their contracts and moving to other 00:21:22.750 --> 00:21:26.650 providers. TalkTalk then began offering free upgrades for all their customers, 00:21:26.650 --> 00:21:31.090 including non-impacted ones as an attempt to keep their customers, but TalkTalk would not 00:21:31.090 --> 00:21:36.100 waive any cancellation fees for people who wanted out of the contract. Two months after the breach, 00:21:36.100 --> 00:21:40.420 British Parliament interviews Dido Harding. A Digital, Culture, Media, 00:21:40.420 --> 00:21:45.250 and Sports Committee is involved to try to assess the threat there is to the public. At the start of 00:21:45.250 --> 00:21:49.960 this episode you heard the beginning of this hearing. I’ll describe the scene for you. It 00:21:49.960 --> 00:21:54.610 looks like a large room somewhere in the palace of Westminster. There is wooden paneling on the 00:21:54.610 --> 00:22:00.790 walls and the carpet is ornate and lush. There is a large U-shaped table with thirteen members from 00:22:00.790 --> 00:22:05.560 the Culture Committee sitting around it and on the other end of the U is the CEO of TalkTalk, 00:22:05.560 --> 00:22:10.510 Dido Harding, sitting at a table all by herself. Also in the room are spectators, 00:22:10.510 --> 00:22:15.400 assistants, cameras, and microphones. Now let’s listen to a few parts of this hearing. 00:22:15.400 --> 00:22:20.830 HARDING: One of the most difficult periods for the TalkTalk board and for me personally 00:22:20.830 --> 00:22:27.730 during this attack was in the first thirty-six hours when we knew we’d been attacked on the 00:22:27.730 --> 00:22:35.140 Wednesday morning. Wednesday afternoon on the 21st, I had a incident call with my directors 00:22:35.140 --> 00:22:39.970 reviewing – we brought down the systems and we knew that we had been attacked. At that point 00:22:39.970 --> 00:22:45.610 I received a ransom demand in my personal inbox which was very credible. We informed all of the 00:22:45.610 --> 00:22:50.380 appropriate law-enforcement agencies and spent the next eighteen hours trying to understand exactly 00:22:50.380 --> 00:22:55.060 what had happened and what had been taken. The next day, on the Thursday morning, it was very 00:22:55.060 --> 00:23:00.240 clear that there was a real risk that a material number of our customers’ data had been stolen. 00:23:00.240 --> 00:23:05.610 It was also clear that it was going to take us several days. In fact it took us two weeks to know 00:23:05.610 --> 00:23:13.650 exactly what had been taken. Personally, by the Thursday mid-morning, I was clear that I needed to 00:23:13.650 --> 00:23:19.770 warn all my customers; that I could do something about it to help protect my customers. I was 00:23:19.770 --> 00:23:24.150 clear by the lunchtime on the Thursday that the sensible thing to do to protect my customers was 00:23:24.150 --> 00:23:28.740 to warn all of them because I could help make them safer. I could give them free credit monitoring, 00:23:28.740 --> 00:23:35.760 I could warn them not to accept these scam calls. For completely understandable reasons, the advice 00:23:35.760 --> 00:23:40.080 we received that Thursday afternoon from the Metropolitan Police was not to tell our customers. 00:23:40.080 --> 00:23:45.000 Now, I totally understand why the police wanted us to stay quiet because they’ve got a different 00:23:45.000 --> 00:23:49.650 objective. They want to catch the criminals. You sort of want the police to want to catch 00:23:49.650 --> 00:23:54.600 the criminals, and we had some very constructive discussions with them through that afternoon and 00:23:54.600 --> 00:24:00.240 into the early evening on how to marry the conflicting objectives of a company wanting 00:24:00.240 --> 00:24:04.609 to look after their customers and the police force rightly wanting to catch the criminals. 00:24:04.609 --> 00:24:08.520 THE COURT: Thank you very much. How many breaches of security have you had in the last five years? 00:24:08.520 --> 00:24:15.859 HARDING: This is the first of TalkTalk’s systems, the 21st of October. 00:24:15.859 --> 00:24:18.990 THE COURT: What about these other incidents that we’re talking about? 00:24:18.990 --> 00:24:21.630 HARDING: I presume you’re… 00:24:21.630 --> 00:24:22.290 THE COURT: They’re breaches of security. 00:24:22.290 --> 00:24:27.120 HARDING: I was asking – possibly not answering the question that 00:24:27.120 --> 00:24:32.010 the Chairman posed. What I was answering is this is the first successful cyber-attack on 00:24:32.010 --> 00:24:38.460 TalkTalk’s systems. I would say that we are attacked every day, multiple different ways. 00:24:38.460 --> 00:24:46.980 THE COURT: These other breaches of security, what have they been? 00:24:46.980 --> 00:24:53.820 HARDING: I presume you’ll be referring to comments in the newspaper suggesting that 00:24:53.820 --> 00:24:59.250 there have been three attacks in the course of the last year. Is that fair? 00:24:59.250 --> 00:25:01.650 THE COURT: Yeah, well, it’s certainly something that’s in my mind, yeah. 00:25:01.650 --> 00:25:05.700 HARDING: Okay. Just to make sure I’m answering the right questions. Carphone Warehouse, 00:25:05.700 --> 00:25:11.300 who is a supplier to TalkTalk and a number of other mobile retailers, 00:25:11.300 --> 00:25:18.260 was the victim of an attack in the summer. It wasn’t a TalkTalk system that was breached. 00:25:18.260 --> 00:25:27.650 It was a third party supplier. We, like many other companies, have had customers targeted 00:25:27.650 --> 00:25:37.460 by scammers and there was one specific incident in November last year where there was a – it 00:25:37.460 --> 00:25:43.040 was not a cyber-security breach but a personal – personnel security issue in one of our outsource 00:25:43.040 --> 00:25:46.629 providers. Those are the three that I’m aware of that are in the public domain. 00:25:46.629 --> 00:25:49.880 THE COURT: How would you describe to your customers what’s the difference between a 00:25:49.880 --> 00:25:52.790 cyber-security attack and a personal data breach? 00:25:52.790 --> 00:25:58.970 HARDING: I think that from a customer’s perspective they don’t really care how 00:25:58.970 --> 00:26:05.600 their data is stolen. They care if their data has been stolen. I think that the total set is 00:26:05.600 --> 00:26:10.580 different ways that customers’ data can be stolen. I was trying to be specific 00:26:10.580 --> 00:26:16.460 in the answer to the Chairman earlier about a cyber-related data breach, where someone has 00:26:16.460 --> 00:26:20.960 accessed – the criminal has accessed your systems as opposed to a human data breach. 00:26:20.960 --> 00:26:24.020 THE COURT: A human data breach; that would be someone within the organization that has 00:26:24.020 --> 00:26:26.300 stolen the data they shouldn’t have done, or accessed data they shouldn’t have done. 00:26:26.300 --> 00:26:31.329 HARDING: Yeah, or any former – yes, or through the third party chains. 00:26:31.329 --> 00:26:35.780 THE COURT: Could I ask, why do you think TalkTalk is, or appears to be, 00:26:35.780 --> 00:26:40.820 so especially vulnerable to this? Because however we look at this, 00:26:40.820 --> 00:26:47.000 there have been a number of very serious breaches which has caused TalkTalk to develop 00:26:47.000 --> 00:26:51.740 the bad reputation that it has. Why do you think that’s happened to your company in particular? 00:26:51.740 --> 00:26:58.520 HARDING: I’m afraid I don’t think that we are unique or unusual in being victims of cyber-crime. 00:26:58.520 --> 00:27:02.780 THE COURT: You’ve said that a number of times but you appear to have had more than most. 00:27:02.780 --> 00:27:05.660 HARDING: I don’t think that that’s true. I think, as I said… 00:27:05.660 --> 00:27:10.580 THE COURT: You think other big companies have had three serious breaches in the last year? 00:27:10.580 --> 00:27:13.029 HARDING: As I say, we’ve had one serious breach on our systems. 00:27:13.029 --> 00:27:16.910 THE COURT: I know but I feel we’re dancing slightly on the head of a pin there, 00:27:16.910 --> 00:27:19.380 because the way you’re defining the breaches – so, 00:27:19.380 --> 00:27:24.720 three separate breaches that have affected your customers who’ve signed up for you. 00:27:24.720 --> 00:27:27.086 HARDING: Okay. And all I’m… 00:27:27.086 --> 00:27:30.990 THE COURT: You have to take responsibility, even if other people – even if you would argue that 00:27:30.990 --> 00:27:36.270 you’re indirectly responsible, the relationship that these customers have is with you. 00:27:36.270 --> 00:27:41.490 HARDING: That’s fair. I guess what I’m actually alluding to is that because 00:27:41.490 --> 00:27:46.920 telecoms companies are the only companies that have an obligation to report these data breaches, 00:27:46.920 --> 00:27:55.350 we took a decision on the 22nd of October to warn all our customers about the attack that 00:27:55.350 --> 00:28:02.250 we had just experienced. We have been much more public than I think many other organizations 00:28:02.250 --> 00:28:08.700 have been. Maybe they didn’t need to be. But the fact that the PWC report for it to be, 00:28:08.700 --> 00:28:12.750 says that nine out of ten major companies have had a successful attack in the last twelve months, 00:28:12.750 --> 00:28:18.240 and that – you tell us they’re dealing with two hundred live instance each month. That certainly 00:28:18.240 --> 00:28:23.400 doesn’t reflect what all of us as consumers would see in terms of communication from 00:28:23.400 --> 00:28:26.670 the companies that we deal with. There aren’t that many in the public domain. 00:28:26.670 --> 00:28:32.130 THE COURT: But the cyber-essentials is really some basic guidelines at relatively low cost. 00:28:32.130 --> 00:28:35.340 HARDING: Which as I understand it, we are fully compliant with. As I said, 00:28:35.340 --> 00:28:38.940 we are simply just in the – have been in the – appreciate, the team have been quite busy dealing 00:28:38.940 --> 00:28:42.409 with the incident over the last two months. We were in the process of getting accreditation. 00:28:42.409 --> 00:28:45.540 THE COURT: Okay. It’s a bit late though, in some ways, isn’t it? 00:28:45.540 --> 00:28:49.710 HARDING: Well, no, I think as a telecoms company the thing we’ve focused on has been 00:28:49.710 --> 00:28:56.010 a very detailed and in-depth 10 Steps to Cyber Security plan, which we worked on through the 00:28:56.010 --> 00:29:00.840 auspices of Tizag. No, I don’t think that we have just missed out the essentials at 00:29:00.840 --> 00:29:04.800 all. I think quite the opposite. We have a very robust cyber-security plan. It’s just I’m also 00:29:04.800 --> 00:29:10.080 being honest and human to say of course I wish I’d done more. I don’t know whether doing more 00:29:10.080 --> 00:29:14.220 would have prevented this attack by the way, but I think the thing that my customers would expect 00:29:14.220 --> 00:29:18.420 us to do is to keep building our security walls higher and higher. ‘Cause the really 00:29:18.420 --> 00:29:22.410 harsh reality is the criminals’ ladders are getting longer and longer every single month. 00:29:22.410 --> 00:29:29.980 JACK: This hearing lasted two hours and they asked Dido 145 questions. Ever since the day of 00:29:29.980 --> 00:29:35.410 the breach, TalkTalk had been working closely with London’s Metropolitan Police. In fact, 00:29:35.410 --> 00:29:41.800 the Metropolitan Police did an impressive job. They were able to track down IP addresses to 00:29:41.800 --> 00:29:48.100 physical locations and connect hacker names with real names and real addresses. They were able 00:29:48.100 --> 00:29:52.990 to trace down some of the hackers involved. In fact, within three months of the breach, 00:29:52.990 --> 00:29:59.590 Metropolitan Police arrested six people involved. All six of the people were boys 00:29:59.590 --> 00:30:05.560 under twenty-one years old. The first arrest was a few days after the breach and it was a 00:30:05.560 --> 00:30:14.530 fifteen year old boy in Ireland. This was a shock to the UK and a few newspapers actually 00:30:14.530 --> 00:30:19.180 published his name. The lawyers of the boy sued those newspapers because they’re not 00:30:19.180 --> 00:30:23.440 allowed to publish the names of minors in papers. That lawsuit is still going 00:30:23.440 --> 00:30:28.960 on today. The boy was released on bail a few weeks later. It’s uncertain what happened to 00:30:28.960 --> 00:30:34.080 him then. We don’t know if he was found guilty or received any punishment. The second arrest 00:30:34.080 --> 00:30:38.700 was a sixteen year old boy arrested in a suburb west of London. He also got released on bail. 00:30:38.700 --> 00:30:42.030 Then there was another sixteen year old boy that was arrested in Norwich, 00:30:42.030 --> 00:30:47.190 UK. This boy claimed that he found the vulnerability on TalkTalk’s website using 00:30:47.190 --> 00:30:54.390 a tool called SQL Map. He posted what he found to a hacker forum. He says he didn’t download any of 00:30:54.390 --> 00:30:59.520 the data off of TalkTalk’s website and he didn’t benefit at all from doing this hack. In fact, 00:30:59.520 --> 00:31:04.410 all he was trying to do was quote, “I was trying to show off to my mates.” End quote. Metropolitan 00:31:04.410 --> 00:31:09.690 Police looked through his computer and his iPhone and they found not only did he actually hack into 00:31:09.690 --> 00:31:16.080 TalkTalk but he was also hacking into other things like Cambridge University, Manchester University. 00:31:16.080 --> 00:31:21.330 When he went to court, he pled guilty to seven charges but only two were for TalkTalk. He was 00:31:21.330 --> 00:31:27.330 sentenced to twelve months youth rehabilitation order and lost his iPhone and computer. Another 00:31:27.330 --> 00:31:31.260 arrest a few days later was a twenty year old named Matthew. He was in Staffordshire, 00:31:31.260 --> 00:31:38.160 UK. When police seized his computers they found evidence that he hacked into NOA, NASA, Spotify, 00:31:38.160 --> 00:31:44.130 and twenty other websites. Matthew hacked into TalkTalk and downloaded as much data as 00:31:44.130 --> 00:31:49.440 he could. He showed his friend Connor the stuff that he downloaded from TalkTalk and Connor got 00:31:49.440 --> 00:31:55.140 real excited. He said hey, give that to me. I’m gonna sell that on the dark net. Connor started 00:31:55.140 --> 00:31:59.160 posting some of the data for sale on the dark net and started talking to people on the dark net to 00:31:59.160 --> 00:32:03.150 try to make the sale. That’s when the police were able to arrest both Matthew and Connor. 00:32:03.150 --> 00:32:09.270 The next arrest was an eighteen year old boy named Daniel. He was arrested in Wales. He was the one 00:32:09.270 --> 00:32:14.660 that sent the ransom letter to Dido so he was initially charged with blackmail. When the police 00:32:14.660 --> 00:32:19.460 looked through his computers and his history they found that he was doing denial-of-service attacks 00:32:19.460 --> 00:32:23.810 on his own college which caused a partial outage on the local hospital. He did other 00:32:23.810 --> 00:32:28.490 attacks against companies, stole their data, and demanded Bitcoin so it would not be published; 00:32:28.490 --> 00:32:33.830 basically doing ransoms on other companies, as well. He was found guilty of extortion of over 00:32:33.830 --> 00:32:39.050 $300,000. He lived in a small town in Wales and after he was arrested he reached out to 00:32:39.050 --> 00:32:43.700 a reporter at Motherboard to let his voice be heard. This is what the hacker said. Quote, 00:32:43.700 --> 00:32:48.260 “There’s not much to do in my town and the internet offered me opportunities and a way 00:32:48.260 --> 00:32:53.060 to cure boredom. When you’re surrounded by people on the network that engage in these criminal acts, 00:32:53.060 --> 00:32:57.980 it essentially becomes the norm and it’s extremely addicting. There’s nobody around to tell you what 00:32:57.980 --> 00:33:02.750 you’re doing is wrong. It’s a difficult feeling to explain but it’s essentially a feeling of euphoria 00:33:02.750 --> 00:33:08.210 and once you’ve experienced it, it’s something you always chase. It’s a bit like a drug but 00:33:08.210 --> 00:33:12.980 on a whole different level, obviously. The more you develop your skills, the stronger the feeling 00:33:12.980 --> 00:33:17.450 becomes because you’re able to do more things. What I’ve done is essentially going to haunt me 00:33:17.450 --> 00:33:22.040 for the rest of my life. I know that’s probably the advice you were expecting but seriously, 00:33:22.040 --> 00:33:28.700 don’t do it. Crimes online are treated no differently from crimes in the real world. I’ve 00:33:28.700 --> 00:33:33.590 had to learn that the difficult way. You might assume you’re more-or-less invincible but if you 00:33:33.590 --> 00:33:38.870 do something serious enough, you will be caught and put through the justice system.” End quote. 00:33:38.870 --> 00:33:45.580 Then later on in 2016, three Webpro employees were arrested for stealing data out of the TalkTalk 00:33:45.580 --> 00:33:52.240 database. There’s no talk about anyone who hacked the Carphone Warehouse database. We still don’t 00:33:52.240 --> 00:34:00.410 know how that happened or who did it. In June 2016, the ICO concluded their investigation on 00:34:00.410 --> 00:34:04.970 TalkTalk and published their report. The site says the database was out of date for three 00:34:04.970 --> 00:34:10.700 and a half years and the attack was through the Legacy Tiscali pages. TalkTalk wasn’t monitoring 00:34:10.700 --> 00:34:16.790 that site and the attacker used SQL injection. The investigation also found that in July of 00:34:16.790 --> 00:34:24.110 2015 and September of 2015, there were also SQL injections in the logs and unauthorized access. 00:34:24.110 --> 00:34:29.690 TalkTalk thought they had identified the breach the day of the attack but technically it took 00:34:29.690 --> 00:34:36.380 them three months to detect this. A year after the breach the ICO placed a fine on TalkTalk for 00:34:36.380 --> 00:34:44.780 $530,000 for a loss of 157,000 customer records. This was the largest fine ever imposed by the 00:34:44.780 --> 00:34:52.370 ICO. TalkTalk paid the fine early which allowed them to only pay $420,000. Later on in 2017 the 00:34:52.370 --> 00:34:59.240 ICO placed another fine on TalkTalk for $130,000. This was for the Webpro breach that lost 21,000 00:34:59.240 --> 00:35:04.130 user records. After that was announced, the class-action lawsuit against TalkTalk 00:35:04.130 --> 00:35:08.450 re-emerged. Fifty people were claiming they were victims of scams and seeking compensation. 00:35:08.450 --> 00:35:16.730 In February 2017, over a year after the breach, Dido Harding steps down as CEO. In a quarterly 00:35:16.730 --> 00:35:22.490 shareholders call, TalkTalk claimed the breach cost them $70 million. These expenses included 00:35:22.490 --> 00:35:27.470 doing a security assessment, fixing the issues, hiring a security firm to investigate, giving 00:35:27.470 --> 00:35:32.750 free credit monitoring, giving free upgrades to customers, and more. They also said they lost 00:35:32.750 --> 00:35:38.900 101,000 customers due to the breach. Their stock fell by 11 percent and they lost a market share 00:35:38.900 --> 00:35:44.840 of 4 percent. [MUSIC] Since all these attacks, the UK has developed a new program; a youth rehab 00:35:44.840 --> 00:35:49.940 boot-camp for teens who have been convicted of hacking. This is a place for teens to learn their 00:35:49.940 --> 00:35:55.100 skills are in high demand. Mentors teach them how they can enter the job force and continue 00:35:55.100 --> 00:36:00.410 doing the things they love, which is hacking. This breach reminds us that you can’t secure 00:36:00.410 --> 00:36:05.530 what you don’t know you have, and in this case TalkTalk forgot they had these servers. Another 00:36:05.530 --> 00:36:09.389 problem is when you leave one server vulnerable it makes the entire company vulnerable. [MUSIC ENDS] 00:36:09.389 --> 00:36:17.380 THE COURT: What advice would you give to other CEOs? 00:36:17.380 --> 00:36:25.300 HARDING: I think there’s two pieces of advice that I would offer. One is that being open and 00:36:25.300 --> 00:36:31.990 honest with your customers is the right answer. I would hate that all of the public attention that 00:36:31.990 --> 00:36:36.010 TalkTalk has had as a result of our approach of being open and honest with customers would lead 00:36:36.010 --> 00:36:40.900 other chief executives to conclude that that was the wrong thing to do. We think it was absolutely 00:36:40.900 --> 00:36:45.700 the right thing to do, to go out and warn all four million of our customers on the 22nd of October. 00:36:45.700 --> 00:36:51.250 We think that actually, over time, we are seeing the benefits of that in our customers telling us 00:36:51.250 --> 00:36:55.360 that they value the fact that we’ve been open and honest. That would be my first main piece 00:36:55.360 --> 00:37:01.600 of advice. The second piece is that you mustn’t delegate security. Security is a board-level 00:37:01.600 --> 00:37:06.940 issue and it’s a business decision because the only way you can be 100 percent confident that 00:37:06.940 --> 00:37:11.320 you’re not at risk of cyber-crime is not to operate in the digital space, and that’s the 00:37:11.320 --> 00:37:16.900 wrong answer. You have to take risk as the Chief Executive, and therefore you have to know enough 00:37:16.900 --> 00:37:22.660 about what your choices are and not to delegate – and we’ve seen that in spades over the last two 00:37:22.660 --> 00:37:28.210 months because our risk of cyber-security has gone up simply because of the amount of media attention 00:37:28.210 --> 00:37:33.400 around TalkTalk. The business risk has changed and that’s required me to take decisions which, 00:37:33.400 --> 00:37:39.520 I think, in other companies, might be being taken by the security function. Cyber-crime is the crime 00:37:39.520 --> 00:37:45.640 of our generation. It is growing exponentially and we all need to know more and learn more. I 00:37:45.640 --> 00:37:49.360 think the TalkTalk board, probably more than any other in the country, knows that that’s the case. 00:37:49.360 --> 00:37:58.180 JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. For show notes and links, 00:37:58.180 --> 00:38:12.340 check out darknetdiaries.com. Music is provided by Ian Alex Mac and Alex Barbarian. 00:38:12.340 --> 00:38:12.850 [OUTRO MUSIC ENDS]