I was responsible for security at the time of the hack, says TalkTalk CEO Dido Harding

Sooraj Shah

Harding tells parliament committee that she was accountable because cyber security is a board issue

TalkTalk CEO Dido Harding told a parliament committee today that she was responsible for security when the telecoms firm was hacked in October.

Harding was quizzed by Jesse Norman, chair of the committee, as well as several other committee members, on the hack, in which 156,656 TalkTalk customers had their personal details accessed.

Harding said that she was accountable and responsible for security in the company "before the attack and now".

But Norman suggested that this can't be the case as Harding is running the whole firm, which prompted Harding to state that cyber security was a board issue, and therefore she did have responsibility for it.

Harding added: "I do have an executive director who works on the board who has a security team that works for him."

The TalkTalk CEO went on to claim that security in a telecoms company means more than just a direct security team.

"Security touches everyone in the company which is why I should be directly responsible for it," she said.

The executive director that Harding was referring to is Charles Bligh, who previously worked at IBM for 22 years before joining TalkTalk in 2011. But Harding was eager not to place blame on Bligh - or indeed any other line manager - for the failures at TalkTalk. She said that the responsibility for keeping customer data safe was split among a number of teams.

She said that the accountability for security audits and best practice sits with the security team, but implementations of systems and processes and how those comply with security policies sit with the technology team. Other security issues such as passwords are handled by an operations team.

"So it is impossible to say the director of security is responsible," said Harding, before agreeing that if the firm was to find a specific area at fault, then perhaps a line manager could be found responsible - albeit not for this hack.

"It is possible that none of them are to blame if it is a criminal attack - that's why it is a board-level issue rather than an individual-level issue," she said.

When Norman asked Harding who on TalkTalk's board is considered technically knowledgeable on cyber security, she claimed that the firm is lucky that it has a number of non-executive directors with cyber security knowledge, namely
James Powell, who is currently global CTO of Nielsen, and was formerly CTO of Thomson Reuters.

When later probed on whether Powell, and consultancy PwC which was carrying out a thorough investigation into the hack, could be trusted with information about the incident, Harding said that she had no concerns about this whatsoever.

She added that when it came to cyber security, her non-executive directors would admit that "none of us know enough yet".

"Any CEO that says they know enough about this subject means they haven't thought about it enough yet," she said.

Last month, Computing asked several CIOs who they thought would be to blame in the event of a data breach at their companies. Some suggested it would be their responsibility, while others said the CFO, and ultimately the CEO could be to blame.

Many of Harding's conclusions chime with the findings of Computing's recent research which can be found here.


You may also like
Southern Water confirms customer data breach


Stems from Black Basta attack last month

clock 14 February 2024 • 2 min read
Bank of America admits data breach after supply chain hack


Customer info exposed

clock 13 February 2024 • 2 min read
Researchers find user data exposed on LectureNotes learning app

Threats and Risks

Misconfigured database was leaking data of more than 2 million users

clock 08 February 2024 • 2 min read

More on Security

Law enforcement takes down LockBit - updated

Law enforcement takes down LockBit - updated

NCA among the groups under 'Operation Cronos'

Tom Allen
clock 20 February 2024 • 2 min read
Microsoft's chief security advisor joins Cybersecurity Festival 2024

Microsoft's chief security advisor joins Cybersecurity Festival 2024

Sarah Armstrong-Smith will talk AI in security

Tom Allen
clock 19 February 2024 • 1 min read
Microsoft announces critical zero-day Exchange bug

Microsoft announces critical zero-day Exchange bug

Enables remote control of Exchange Server

Vikki Davies
clock 16 February 2024 • 1 min read