TalkTalk’s profits have more than halved over the past year as it absorbed the cost of several major breaches, in a case which experts claim should act as a cautionary tale for firms which fail to take cybersecurity seriously enough.
The UK ISP claimed in preliminary financials for FY16 that pre-tax profits stood at £14m, down from £32m the previous year – noting £83m was spent on “exceptional items” versus £46m in FY15.
The firm had already admitted a one-off bill of £35m would have to be paid to cover incident response, external consulting and increasing call volumes as a result of a breach in October when hackers apparently stole data on around 4% of customers after a simple SQLi attack.
That figure later rose to around £42 million.
It was also forced to contact customers on two other occasions in 2015 after it was suspected hackers gained access to sensitive information.
TalkTalk Group came under fire again in January this year after it was revealed that employees at one of its outsourcers, Wipro, had been arrested on suspicion of using customer data to commit fraud.
Marc Dautlich, partner at law firm Pinsent Masons, claimed the financial results are a “stark reminder” of the potentially severe consequences of a cyber-attack.
“The financial and reputational impacts can be real and long-lasting,” he added. “Business leaders should be looking at the events that have unfolded and asking themselves: 'what if this were my organization? Am I prepared?'."
Andrew Avanessian, vice president at Avecto, added that large organizations are sometimes guilty of mistaking compliance with data protection laws with robust security.
“That’s a dangerous assumption,” he added.
“If the security fundamentals are not addressed and the endpoint systems are not secured then you risk undermining all your defenses and ultimately putting your customers, organizational reputation and profits in the line of fire.”
Richard Parris, CEO of Intercede, argued that firms need to improve security now before the forthcoming EU GDPR levies strict fines on those which don’t effectively protect customer data.
“If companies want to continue to profit in the digital economy, a more proactive stance is required,” he claimed. “The industry must work together to ensure that security is embedded into the very fabric of the technology ecosystem, from the silicon chips that power our smartphones and connected cars, to the services and apps we use in our day-to-day lives.”
For its part, TalkTalk is putting a brave face on it, claiming that customer churn in FY16 is the lowest it has ever been – this despite a report from market watcher Kantar Worldpanel in January that the firm lost 7% of its broadband customers in the fourth quarter.
However, the low churn itself could be symptomatic of TalkTalk’s hardline stance on customers wanting to leave after the October breach.
It would only waive a significant leaving fee if customers could prove money had been stolen from their accounts as a result of the incident – a move widely criticized at the time.
Dan Howdle of comparison site Cable.co.uk argued that customers shouldn’t easily forgive any firm which suffered three major breaches in the space of the year.
“That TalkTalk lost only 3% of its existing customer base, however, points to problems both with the switching process itself and with its public perception,” he added.
"Our own research shows that only around half of UK broadband customers have ever switched provider. The key factors tend to be the financial cost of getting out of your contract, and risk averseness – a feeling of 'better the devil you know'.”