TalkTalk’s ex-CEO Dido Harding heads up the UK’s Coronavirus tracing app…

Let’s hope privacy promises aren’t all talk talk…

Graham Cluley
@gcluley

Imagine you’re the UK Government in the middle of the biggest crisis the country has faced since World War II.

Imagine that more than 30,000 people in the UK have died after testing positive for coronavirus – the only nation outranking the UK in its death toll is the United States, with a much much larger population.

Imagine that over half the population believes that you, the UK government, took too long – compared to our European neighbours – to impose a lockdown.

Imagine that you have decided, like other countries, to develop a smartphone app that might help quickly trace recent contacts of anyone with the coronavirus. But, unlike many other countries, you are trialling a “centralised” model app, which requires the potentially sensitive data on a central computer server rather than the alternative, “decentralised” model proposed by Apple and Google, where information stays on people’s handsets.

Obviously calming people’s understandable privacy and security concerns about such an app is going to be an important factor to increase chances that a decent proportion of the public will download it.

Sign up to our newsletter
Security news, advice, and tips.

So, who does the UK government appoint to head up the NHS COVID-19 tracing app?

None other than Baroness Harding of Winscombe. Perhaps better known to you and me as Dido Harding, the former CEO of TalkTalk.

Dido Harding, you may recall, was for a couple of weeks in 2015 a regular fixture on UK news reports as she attempted to answer technical questions about the “sequential attack” against TalkTalk, and struggle to clarify what customer data had been exposed, and whether it had been encrypted or not.

I got the distinct impression that she didn’t know what she was talking about…

It turned out that the people responsible for the TalkTalk hack were teenagers who had used a rudimentary SQL injection attack to steal customer details.

In my view, TalkTalk acted pretty badly before the hack (there had been a string of other data breaches involving the firm in the previous 12 months) and atrociously to defrauded customers who attempted to quit their contracts with the firm.

Astonishingly, Dido Harding tried to claim that TalkTalk’s security was “head and shoulders” better than the company’s rivals.

TalkTalk’s security failings were investigated by the ICO, and the firm was hit with a record fine.

The ICO’s specialist technical team supported the enforcement team and found TalkTalk had failed to remove, or otherwise make secure, the webpages that enabled the attackers to access the underlying database. The investigation also highlighted that the database software in use was outdated. It was affected by a bug for which a fix had been made available over three-and-a-half years before the cyber attack but which had not been applied. The bug enabled the attackers to bypass access restrictions that were in place on the database. TalkTalk also failed to undertake appropriate proactive monitoring activities to discover vulnerabilities.

The UK parliament later released its own report into what happened, including testimony from Dido Harding that is well worth a read or you can watch what happened here.

So why has the UK government chosen Dido Harding to lead the project?

Why indeed.

The cynic in me wonders if they believe that should a cock-up occur, what better fall guy would there be than Dido Harding to take the blame?

Health Secretary Matt Hancock says he can’t think of anyone better than Dido Harding to lead the project.

Imagine that.

Further reading: Info on NHS Coronavirus app leaks out via Google Drive snafu

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 comments on “TalkTalk’s ex-CEO Dido Harding heads up the UK’s Coronavirus tracing app…”

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.