“It’s the legacy that gets you”, warns ex-TalkTalk boss

Dido Harding urges companies to decommission unsecured legacy systems to avoid a costly data breach

The former CEO of TalkTalk, who witnessed the fallout from the telecom provider's 2015 hack, has issued a stark warning to companies, advising them to invest in decommissioning their legacy technology systems before it's too late.

Speaking at the annual InfoSecurity Europe conference in London, Dido Harding told attendees that if they did not take the time to audit their legacy technology, it may have dire consequences further down the line.

Harding speaks from experience; it was a flaw in a legacy system that caused the catastrophic data breach of TalkTalk's systems in 2015 and led to the theft of 157,000 customers' bank details and personal information, as well as a then-record breaking fine from the ICO of 400,000.

"We were a business that had grown through a lot of acquisitions, and a business that we had bought had bought a business, that had bought a business, that had a legacy website that had an extremely simple SQL injection vulnerability in a legacy website that had not been used in two of those three acquisitions."

TalkTalk failed to properly scan the infrastructure of Tiscali when it bought the company's UK business in 2009, and was unaware that three vulnerable webpages enabled hackers to gain access to a database holding customer information, or that the database version was outdated and out of support. 

According to Harding, the flaw went undiscovered despite penetration testing, security audits and other forms of cyber due diligence being carried out at the time Tiscali was acquired by TalkTalk. "None of us found it. We should have done, but none of us did."

"It is the legacy that gets you," she added. "It's acquisitions and legacy within acquisitions that gets you. And it's business leaders not really hearing from their security experts that they need to spend money in decommissioning the legacy - whether they acquired it or built it themselves. And that's pretty much what happened to us."

Harding also talked in more detail about the infamous hack, including laying out TalkTalk's immediate response to it in more detail. She said that her biggest regret was not informing customers earlier, and reminded attendees that three months after the hack, TalkTalk's customer base reported higher satisfaction and lower churn than it did before.

One of the former CEO's most important takeaways from the hack was that security is a board-level issue, but also that boards are looking at security in the wrong way. Rather than looking at security as a black-and-white, pass-fail metric, boards need to see security as a spectrum of risk.

"The vast majority of boards want to be able to abdicate responsibility by asking their security professionals 'are we ok?'," she said, "and you mustn't let them ask that question."

"If you're running an oil rig, as the chief exec, you wouldn't go 'are we physically OK?'. You'd ask a different question; you'd say 'what are the risks? What are the risks I'm happy to accept, and what are the risks that I'm really worried about that we need to be pushing to mitigate?'"

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022