Shares in embattled UK broadband operator TalkTalk fell sharply again Monday morning despite the company's efforts to quell concern about the cyber attack it suffered late last week. (See Eurobites: TalkTalk Rocked by Cyber Attack.)
A number of TalkTalk customers complained their bank accounts had been accessed and funds withdrawn after the operator revealed it had been hit by a massive DDoS attack on October 22.
Hackers appear to have stolen customer data that included details of bank accounts, email addresses and dates of birth, with reports suggesting the UK's fourth-biggest broadband operator had neglected to encrypt this information.
In a statement issued Saturday morning, TalkTalk, which has more than 4.2 million fixed line customers across the UK, tried to downplay fears, insisting the attack had targeted its website rather than its "core systems" and that hackers would not have been able to access credit card details.
"We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account," said the company.
Nevertheless, the operator's share price had tumbled by around 9% on the London Stock Exchange at 11.00 a.m. as investors assessed the ramifications of the attack.
The operator's share price had dropped sharply on Friday morning following initial reports of the cyber attack, but it managed to stage a partial recovery later in the day.
The emerging view seems to be that TalkTalk did not take security issues seriously enough or that its low-cost operating model led to under-investment in vital areas.
Confidence in CEO Dido Harding will also have fallen after she was reported to have said she did not know whether or not TalkTalk had encrypted its customers' bank details.
One question is whether TalkTalk's troubles trigger more widespread concern about industry shortcomings in the security space.
Patrick Donegan, chief analyst with Heavy Reading , says the telecom industry is generally perceived to be doing a better job on security than other sectors, while noting there are evidently stragglers.
"Surveys from Cisco and others have consistently shown that telcos and ISPs tend to have better security protections in place than other vertical industry sectors," he says. "If an example were needed that this doesn't apply universally within the telco sector and that there are no grounds for complacency, this is certainly it."
"The fact that the CEO doesn't even seem to know whether or not the customer bank records were encrypted is pretty poor," adds Donegan.
One problem for TalkTalk is that its low-cost model is inviting suggestions the operator may have been prepared to cut corners to protect margins.
TalkTalk has undoubtedly come under renewed pressure from BT in the era of high-speed fiber broadband services, complaining the incumbent's position as infrastructure owner and retail rival allows it to squeeze TalkTalk and other broadband players on pricing.
Harding is one of a number of telecom industry executives calling for tougher regulation of BT. But in trumpeting her competition concerns so loudly, and attracting closer scrutiny of TalkTalk's operating model, she may have inadvertently made the present nightmare even worse.
— Iain Morris, , News Editor, Light Reading