TalkTalk Hack and Encryption
Reading today’s papers (The Times 26 Oct) , it would appear that people are surprised their personal data was not encrypted. In this context there are two types of encryption.
- In Transit – When you send it from your computer to their computer over the internet. This should be encrypted. Look for the padlock and https.
- At Rest – When stored on giant databases. In most cases (not just TalkTalk) your data is not encrypted at Rest. Mainly because it would make the systems too slow.
The head of TalkTalk is correct, there is no legal obligation to encrypt Personal Data. The Data Protection Act does not call out specific measures. Principle 7 says:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
What you determine is appropriate is a balance of risk and reward in business. So it will be a subjective assessment of if TalkTalk didn’t provide the appropriate measures. If someone decided to change the law by ruling that encryption of Personal Details and Bank Detail at rest must be encrypted, then companies will have a massive challenge to implement this, as it is they struggle with PCI DSS compliance at lot of the time which is very clear.
Apart from lots of other actions that will follow, the Information Commissioners Office can fine TalkTalk £500,000 which is not a lot for a large company. In January 2016 they would face a fine of either 5% or 2% of Turnover (not profit) under the EU General Data Protection Regulation.
The challenge I and others in my profession have is allowing companies to give you service at the speed of light, with ever new innovations whilst preventing them from taking too many risks.
As a profession it is very undermanned. So if you fancy a rewarding technical career trying to understand mind boggling complexity in a constantly shifting environment then come and join me as a Security Professional.
Senior Security Consultant at AWS
9 年Christopher All your points are valid and there was a failure of some basic security. My comment was more around the expectation that by default companies are encrypting data at rest. Most are not but are still reliant on a perimeter protection strategy.
Managing Director at IDGateway Limited
9 年Great commentary. The same message needs to get to the IT Security professionals, who are sometimes too quick to protect their interests and thus demand belt and braces encryption and lockdown, without consideration for the practical usability of the end product as a consequence.