Former TalkTalk CEO (UK) Warns Companies to Invest in New Tech to Avoid GDPR Breaches

Dido Harding, the former CEO of TalkTalk, has warned to companies to replace all legacy technology systems before in order to avoid being hit with massive fines

Harding, present to discuss the fallout from TalkTalk’s 2015 hack, was speaking at the annual InfoSecurity Europe conference in London last week said that it is vital for companies to audit their legacy technology  as soon as they possibly can. Drawing parallels with the data breach that her former company experienced she said: “We were a business that had grown through a lot of acquisitions, and a business that we had bought had bought a business, that had bought a business, that had a legacy website that had an extremely simple SQL injection vulnerability in a legacy website that had not been used in two of those three acquisitions.”

Due to this there was a weakness in a legacy system that lead to the catastrophic data breach of TalkTalk’s systems in 2015 which resulted in 157,000 customers’ bank details and personal information being stolen. The Information Commissioners Office applied a data breach fine of £400,000 to the company, a record fine at the time that is was sanctioned.

Speaking about the flaw that impacted the customers and the technology that TalkTalk were using he said: “None of us found it. We should have done, but none of us did. It is the legacy that gets you. It’s acquisitions and legacy within acquisitions that gets you. And it’s business leaders not really hearing from their security experts that they need to spend money in decommissioning the legacy – whether they acquired it or built it themselves. And that’s pretty much what happened to us.”

“The vast majority of boards want to be able to abdicate responsibility by asking their security professionals ‘are we ok?’,” she said, “and you mustn’t let them ask that question.”

“If you’re running an oil rig, as the chief exec, you wouldn’t go ‘are we physically OK?’. You’d ask a different question; you’d say ‘what are the risks? What are the risks I’m happy to accept, and what are the risks that I’m really worried about that we need to be pushing to mitigate?'”