I’m sure I wasn’t the only person to be somewhat surprised at the news that Baroness Dido Harding has been appointed to oversee the implementation of the new NHS Covid-19 app. Rightly or wrongly, she will always be associated with the massive data breach at TalkTalk in October 2015 and has received significant criticism for her handling of that incident. As one commentator optimistically phrased it, she may have learnt some useful lessons from that incident. Hopefully that is true, but it is hardly likely to inspire confidence in a scheme that is already highly controversial.
The news also reminded me of another interesting blog post of ours from last year. The post summarised findings from a new academic study of the cost to organisations of data breaches. As well as addressing the main research question the authors also found, somewhat surprisingly, that:
- The pay of CEOs in firms that had had a data breach increased relative to firms that hadn’t; and
- Security breaches had no effect on the rate of CEO turnover.
Whilst Baroness Harding did eventually leave TalkTalk, it was not before she famously picked up a substantial bonus. It is not my intention to criticise individuals, rather I repeat the story because it suggests that CEOs are not adequately incentivised to manage information security risks. If CEOs know that their remuneration and career prospects will not be damaged, even by a spectacular data breach; why would they allocate scarce resources to mitigate the risk?
That leads on finally to the other big information security story of the week – EasyJet. The headlines have focused on the total number, 9 million, of customers affected. But perhaps the more worryingly, it is reported that over 2000 customers had their credit card details compromised. Given that this incident occurred post-GDPR EasyJet may be looking at a very significant fine when, with a global pandemic going on and almost no air travel taking place, they have enough problems already.