+44 20 3457 6405
info@polpeo.com
Polpeo
BOOK YOUR FREE DEMO

TalkTalk Data Breach transcript

Introduction

This is “What Just Happened?,” the podcast that looks at the biggest brand crises of our time, what they meant for organisational strategy and behaviour, and their lasting impact on our approach to crisis communication.

I’m Kate Hartley. And I’m Tamara Littleton. And together, we’ll delve into what happened, why it mattered, and whether it could happen again.

Episode 

Tamara Littleton: Kate, what crisis are we covering today?

Kate Hartley: So today we’re going to look at, I think, what was one of the most high-profile data breaches in the UK in the last 10 years. It was originally thought to be the work of sophisticated hackers stealing the personal data of 4 million people, but it turned out to be the work of a few teenagers working from their bedrooms. Today, we’re talking about the TalkTalk data breach of 2015.

TL: I remember this one unfolding live, and what was really interesting about it wasn’t just what happened but how it was handled as well, and the impact it had on the CEO. Absolutely.

KH: And we’re going to dig into all that in just a couple of minutes.

TL: So, Kate, what happened in October 2015?

KH: TalkTalk started to have the early signs of a data breach, and an engineer at a small tech consultancy called The AntiSocial Engineer contacted them to say that some of the websites hosted by TalkTalk on the TalkTalk.net domain were infected with malware. These could potentially be used by criminals to trick people into giving away confidential information. So that’s what we know as a social engineering attack.

TL: And did TalkTalk take that threat seriously? Because I can imagine if someone just calls you out of the blue and says you have a vulnerability, you might think, well, that’s a scam.

KH: You definitely would, wouldn’t you? And they didn’t do very much, so that’s probably exactly what they thought. But Richard De Vere, who was the engineer who got in touch with them, said he got really frustrated because he didn’t get a response from TalkTalk. So, he published a blog on it publicly, and as you can imagine, that got the company’s attention. They then decommissioned the TalkTalk.net site. But that wasn’t the main event. The main event was a couple of weeks later, and again, De Vere got in touch with them to say there were some serious vulnerabilities on the TalkTalk site, which meant criminals could steal sensitive information.

TL: I bet they listened that time.

KH: They did, although De Vere did say in a blog post about a year later that they never thanked him for doing that. But that’s another story.

TL: Interesting. Also, if I remember correctly, hadn’t they had some problems before this? This wasn’t actually the first time they’d been hacked.

KH: It was not the first time they’d been hacked. This was not their first rodeo. So, back in August 2015, the website had been taken down by hackers, and there was an internet outage. While that’s not unusual for an internet provider, they also lost their internal VOIP and data system. So, of course, nobody could call Customer Services, for example.

There’d been a similar incident in February that year. Then the previous year, there’d been another breach when criminals got hold of account numbers, customer addresses, and phone numbers. At least two men had thousands of pounds stolen from them in a scam by those criminals, who were contacting them pretending to be from TalkTalk. And The Guardian was told by TalkTalk that more than 3,000 customers had had scam calls from people pretending to be from the company. So that was a year before this main breach that we’re talking about now happened.

TL: So trust from customers was probably pretty low, I imagine.

KH: I think it really must have been. And it’s worth looking into the background of TalkTalk a bit because trust is something, of course, that you build before the crisis happens. You can’t suddenly build it in the middle of the crisis. TalkTalk used to be owned by Carphone Warehouse—do you remember them—which also owned Tiscali, which was an internet provider, if you remember that. It’s going back a while now. But in 2009, it merged those two businesses, and it dropped the Tiscali name. Then in 2010, TalkTalk spun off as a separate company. But there were some problems then. Typically, customers said that their bills had gone up. There’d been some inevitable kind of integration issues and job losses as a result of that merger.

TL: Okay, so let’s go back to the hack, though. What happened after the consultant alerted TalkTalk to the next vulnerability?

KH: So, on 21 October, when De Vere alerted TalkTalk, the website was reported as being down, and customers started complaining that they couldn’t get internet access again.

TL: That’s not great for an internet company that’s already had problems.

KH: You do want your internet companies to provide internet on a regular basis, don’t you? So it really wasn’t good for them. TalkTalk put out a fairly standard holding statement saying they’d taken the website down, but that it wasn’t related to a broadband outage. Then on 22 October, they reported a breach to the Information Commissioner’s Office (the ICO), which is obviously a legal requirement. At that point, they acknowledged it was a hack and a problem, but they still didn’t tell customers.

Two days after the hack, on 23 October, they released another statement saying that TalkTalk had been subjected to what they called a significant and sustained cyberattack on the 21st, that the police had been notified and were investigating, and that they’d also notified the ICO. That statement confirmed that up to 4 million customers could have had their personal details hacked, including names, addresses, dates of birth, credit card details, and bank details.

TL: That is a lot. That’s everything you need to steal someone’s identity, basically.

KH: Yeah, exactly. It is, and I think that would be pretty frightening if you were a TalkTalk customer. You’d be quite angry, I think, as well, if you knew they’d sat on that information for two days.

TL: And I remember the CEO, Dido Harding, going on Newsnight to talk about the breach that same night, before they really knew anything about what had happened. That’s often seen as a key strategy to calm a crisis—you know, get someone in front of the cameras. But what’s your take on how that affected the response?

KH: It’s really interesting because it was Harding’s response that came to define this crisis. I think there was some good stuff that she and TalkTalk did. So, as you said, she got out there right away, in front of the media. She did loads of interviews and got the message out as widely as possible. She didn’t shy away from the problem. TalkTalk offered free credit checks and monitoring to affected customers.

They told people to change their passwords once the service was back, and to report anything suspicious. They had a dedicated section of their website for updates and a phone number for customers to contact. They eventually did contact every customer, albeit not immediately.

But, as we’ve already said, this was their third breach that year, so I think people weren’t really that sympathetic. And the issue with Harding going in front of the media was that she didn’t really know very much and didn’t seem particularly well-versed in cybersecurity. Now, to be fair, we know from simulations that in the early stages of a crisis, you often don’t know what’s happened, so we can’t blame her entirely for that—it’s not a criticism. But I don’t think she handled the security questions brilliantly, and I think that was more of an issue.

So, as we said, her first appearance was on Newsnight. The segment was introduced by basically saying, “No one knows anything, do they?” Harding, paraphrasing here, essentially said, “We don’t know what’s happened, but we’re taking the precaution of contacting all 4 million of our customers.”

TL: Which is the right thing to do, of course.

KH: Of course it is, absolutely. But here’s the kicker: Kirsty Wark, who was presenting Newsnight, asked, “Would it not have been better to tell customers as soon as it started to happen?” And that’s when Harding started to sound a bit defensive. She was clearly trying to put the breach into context, but she came across as defensive and said things like, “Cyberattacks happen all the time.” She explained that they couldn’t know this was any different until the analysis had been done.

Then she made the big admission that “criminals may have accessed customers’ bank details as well as personal details,” which obviously was a huge deal. But when Wark pressed her on why customers weren’t informed earlier, Harding said they didn’t know this was different from a usual denial-of-service attack. She explained that TalkTalk had been experiencing denial-of-service attacks pretty much every week prior to this.

TL: That brings into question why their security wasn’t better, but maybe we can park that and come back to it later.

KH: It’s a big question, isn’t it? And Wark didn’t let it slide. She asked, “How can people trust companies like TalkTalk if this is happening all the time and people’s bank accounts could have been compromised at lunchtime yesterday, but you’re only telling them now?” So, the issue of trust came up very quickly.

TL: Hindsight is a wonderful thing, of course, but I’m not sure I’d have wanted to go on a programme like that straight away. Do you think she could have handled it differently, or perhaps chosen a softer programme to begin those media interviews?

KH: That’s definitely something we should dig into, perhaps with our guests later. You’ve got to be pretty brave to face someone like Kirsty Wark, who’s never going to be a pushover. And I don’t think Newsnight would’ve been my first choice of programme either. It put Harding on the defensive straight away. Other media would have seen that interview, so it set the tone.

She was doing things like trying to keep the breach in context, but that’s really hard to do when you don’t know whose data has been compromised or what data has been compromised. She kept saying, “Other companies experience this all the time,” and, “Cybercrime is a huge issue right now.”

She did a bit better later on. For instance, she went on Channel 5 News in the UK, and in that clip, you can see her apologising for the frustration and worry caused to customers. But from that first Newsnight interview, she faced a lot of accusations. People were saying, “This is completely unacceptable—that someone could breach your systems.”

TL: And she said, as you’ve just mentioned, with the benefit of hindsight, that of course she would have liked to do more.

KH: Yes, absolutely. But the reality is, cybercrime is on the rise, and she was definitely trying to shift the focus away from it being TalkTalk’s problem to it being a broader issue of cybercrime.

However, she made a misstep in a Sunday Times interview where she admitted that TalkTalk customer data wasn’t encrypted but said, “That’s okay because there was no legal requirement to encrypt it.” While that’s legally true—TalkTalk had complied with its legal obligations for storing financial information—it didn’t sit well with the public.

TL: No, that must have come across as tone-deaf, especially in the middle of a crisis like this.

KH: Exactly. It felt like a justification rather than an acknowledgment of responsibility, which made customers feel even less reassured.

TL: When you’re stuck in the detail and you don’t really know all the specifics, that might be true, but it’s not what people want to hear, is it? And I guess there was an opportunity to say something like, “We met our legal obligation, but we’ve now realised that’s not enough, and we’re going to change what we do. We also recommend other companies change what they do to avoid going through what we did.” You know, that kind of rallying call to the industry to make a change.

KH: I think that was a really missed opportunity, actually. And then, of course, all the security experts and commentators started weighing in on the issue. Harding didn’t know enough about security to go into the details of the hack, and you wouldn’t necessarily expect her to as a CEO. But she was asked questions she didn’t know how to answer, and that exposed her lack of knowledge a bit.

There was one particularly bad incident, I think. I did feel for her a bit, but she was giving security advice to customers in an interview. Graham Cluley, a security expert, later criticised what she said—not live but in a separate video. On BBC News, she was asked, “How can people tell if they’re getting an email that’s actually from TalkTalk?” Harding replied, “Our emails have a link in them that clicks through to our help site.” But, of course, anyone can put a link in an email. She also told people to check the header of the email to see if it came from TalkTalk.

Cluley made a video response where he literally put his head in his hands and said, “I’m sorry, but she hasn’t got that right. It’s child’s play to forge a ‘from’ address in an email.” He explained that what people should actually do is go directly to the website themselves. So there were a few things she said under pressure that didn’t really help.

TL: You can imagine these days that would be all over TikTok, with everyone making their own videos about it.

KH
Exactly. Cluley was ahead of his time, really.

TL: Can we go back to why they didn’t tell customers straight away? Is there more information about that?

KH: Yes, it’s interesting. They did tell customers within 24 to 36 hours, which isn’t long, but Harding initially said they didn’t realise they were dealing with a serious hack at first. That’s what she claimed on Newsnight—that as soon as they realised, they informed people.

Later, in interviews, she said she was advised by the Metropolitan Police not to tell people straight away.

TL: There’s often tension between what a company wants to do and what the police want to do. The police want to catch the criminals, and sometimes the best way to do that is to leave them in the system so they can be tracked. But, of course, the company’s priority is to keep its customers safe.

KH: Yes, and even customers want to feel like the company is keeping them safe. That’s a fair point. You must have encountered this kind of tension in your work, Tamara. You did a lot in online safety—was it similar, where the police wanted to keep perpetrators in social media platforms for tracking purposes?

TL: Yes, it’s worth remembering the context back then. The industry was still quite young, and the police were catching up. To be fair to TalkTalk, if the police told them not to act, they probably felt they had to listen.

Just to give some context: back in 2011, my team managed social media for the royal wedding of Prince William and Catherine. There was a bomb threat, which we reported and had to follow due process. I spent 20 minutes on the phone explaining to the Met Police what Twitter was. It wasn’t all neatly organised back then like it is now. Things are much clearer these days.

KH: That’s a fair point. If the police told them not to act, you’d probably comply.

A few days later, TalkTalk released a statement saying it was only their website that had been attacked, not their core systems. They clarified that not as much financial information had been accessed as initially thought, and no passwords had been hacked. That was good news, but by then the media had really focused on Harding and TalkTalk.

There was also some confusion when Harding gave an interview to the Financial Times and mentioned a “sequential attack,” which most laypeople thought implied another attack. What she likely meant was an SQL injection attack—a technique that uses malicious code to exploit a database vulnerability.

TL: And then there was the ransom demand.

KH: Yes, TalkTalk received a ransom demand, which was less common back then but still happened. These days, ransom demands are usually in the millions, but this one was for £80,000 in Bitcoin. It doesn’t seem like much for something of this scale.

TL: Could that have been a clue about who was behind it?

KH: Probably, yes. Within a few days, a 15-year-old boy was arrested in County Antrim, Northern Ireland, followed by a 16-year-old in Feltham, near London.

TL: £80,000 is a fortune if you’re 15 or 16—not so much for a professional hacking gang.

KH: Exactly. There were then three more arrests: another 16-year-old from Norwich, a 20-year-old from Staffordshire, and later an 18-year-old from Llanelli in Wales. They claimed it took only a few hours to hack the database. One of them said you didn’t need any special skills—it would have taken less than an hour to teach anyone with a computer how to do it.

TL: That’s so depressing, isn’t it? And it turned out the breach wasn’t as bad as initially feared—only 157,000 customers were affected. They wouldn’t have lost money directly due to the hack. A relief for customers and TalkTalk, but not great that it caused such a scare.

KH: TalkTalk was reported to have lost about 100,000 customers during this period, and their shares dropped 12% following the hack, though they did recover. They limited customer cancellations by allowing people to leave their contracts only if they could prove financial loss due to the attack, which made people angry. Consumer watchdogs got involved, which didn’t help the trust issue. Profits were halved the year after the attack.

TL: What about the longer-term fallout?

KH: Investigations shifted to whether TalkTalk had done enough to protect itself. At the time, the maximum fine was £500,000, but TalkTalk had an annual turnover of £1.8 billion, so it wasn’t a significant deterrent. Security experts noted this wasn’t a sophisticated attack—it was carried out by teenagers, and TalkTalk should have been able to prevent it.

Harding was called before a select committee, where she apologised to customers for the concern and uncertainty caused—not necessarily for the hack itself, likely on legal advice. She did, however, take accountability, saying she was directly responsible for the company’s security. Despite pressure from the committee, she didn’t shift blame or avoid responsibility, even trying to withhold the name of her security director.

TL: Very admirable. What was the result of the ICO investigation?

KH: That didn’t go so well. The ICO found that TalkTalk had failed to secure the web pages that let the hackers into the database. It also found there had been two previous SQL injection attacks by hackers in 2015, but TalkTalk hadn’t taken action because it didn’t monitor the web pages. Essentially, the ICO concluded that TalkTalk failed to take appropriate measures against what it called the unauthorised or unlawful processing of personal data, which went against the Data Protection Act.

The report said—and this is a direct quote—”For no good reason, TalkTalk appears to have overlooked the need to ensure it had robust measures in place, despite having the financial and staffing resources available.” So, that was a bit of a killer blow. TalkTalk was fined £400,000, which at the time was a record fine. But it actually paid £320,000 because there’s apparently a discount for paying early. So, that’s something!

TL: What about Dido Harding? Let’s talk about her.

KH: She stepped down in May 2017 and claimed it had nothing to do with the cyberattack at all—it was just part of a company restructure. But TalkTalk’s shares were still down 30% from before the attack, so whether her departure was related or not, we’ll never know for sure. She was paid £2.81 million in 2015, the year of the hack, which must have sweetened the whole episode a bit. She also held shares worth just under £7.5 million at the time.

TL: And of course, she is now Baroness Harding and was appointed to lead the COVID track and trace program in the UK in 2020. So, the big question is, around this whole crisis, what changed? Could this happen again?

KH: Well, it did happen again to TalkTalk in 2017. Nearly two years after the infamous hack, TalkTalk was fined another £100,000 by the ICO for putting the data of 21,000 customers at risk. This was a completely separate issue: former employees at an offshore IT firm were able to access customer data through an online portal and use it to view customer records. As a result, several customers reported receiving scam calls from people pretending to be from TalkTalk.

TL: This is the thing, isn’t it? After a major breach, scammers tend to jump on the bandwagon, especially if they know security wasn’t up to scratch.

KH: Exactly. And TalkTalk didn’t help matters much. In 2019, a BBC Watchdog investigation found that the data of another 4,500 customers from the original 2015 attack was still accessible through a Google search. Those customers had been wrongly told they weren’t affected by the hack when, in fact, they were.

TL: What would be the impact on a company if something like this happened now?

KH: There was a great article in The Register about two years after the hack, estimating that if TalkTalk had been fined under GDPR regulations—which weren’t in place at the time—the fines could have been in the region of £59 million. That’s a far cry from the £400,000 fine they actually received. The regulatory landscape and deterrents for poor security have completely changed since then.

TL: I still can’t get over the idea of those teenagers doing TikTok videos about how to do it. But the big lesson here isn’t just about security—it’s also about communications. Should you always lead with the CEO? If the CEO doesn’t know everything about the subject, when should they step aside? And when should someone else take the lead?

We’ll be discussing this with our guest after a short break.

BREAK

TL: We’re delighted to be joined by Catherine Colloms. Catherine is a seasoned crisis specialist who has worked both brand and agency side, including many years at the Foreign and Commonwealth Office, specialising in post-conflict strategy and communications. Catherine is also a member of the newly launched Global Crisis Council for Clarity, a strategic communications and digital marketing agency, which is also a B Corp. So, welcome, Catherine.

Catherine Colloms: Lovely to be here. Thank you.

TL: Catherine, I’m going to jump right in with the questions. One of the biggest ones Kate and I had from the TalkTalk case study is: should the CEO always be media-facing in a crisis? And what if they don’t have the specialist knowledge?

CC: The simple answer is yes, in most circumstances—especially in a case like this, where the crisis could potentially affect the majority of TalkTalk’s customers and have major reputational and regulatory impacts. The expectation is that it has to be the CEO. They’re ultimately responsible for the company, and they need to show they’re taking the situation seriously and have control.

As you mentioned earlier, I think TalkTalk got some things right, and this was definitely one of them. I believe their initial instincts were correct: to field the CEO and be transparent. I think this approach came from Dido herself—she clearly wanted to communicate. She came across as genuine, humble, and empathetic in her interviews. So, she was right to step forward and face the crisis head-on.

TL: When, then, should the CEO step aside and let someone else with more detailed knowledge take over?

CC: The challenge is that a CEO won’t necessarily have specialist knowledge—they’re not expected to. If that’s the case, I’d say two things. First, the CEO doesn’t have to be the sole spokesperson. They don’t have to be the only person communicating with the media or stakeholders. Second, it’s crucial to manage the CEO’s appearances carefully.

You shouldn’t put the CEO in a position where they’re dragged into technical details. It’s possible to deploy a dual-person strategy in crises. I’ve worked on large-scale crises where we had two spokespeople or a broader communications team. In this setup, the CEO addresses the big picture: they’re the face of empathy, engagement with customers, and demonstrating responsibility. Meanwhile, an expert handles the technical details, explaining what’s being done to resolve the issue.

But this assumes you have an expert who’s senior enough and experienced enough to handle the media.

KH: That’s a great analogy, actually, and it reminds me of the COVID briefings. The Prime Minister would introduce the topic, setting the tone, and then the medical or scientific experts would explain the technical details.

TL: Exactly! Which leads to our next question: how well-versed in security details should a CEO be? Harding was criticised for lacking detailed knowledge. So how much detail should they know? And when is it okay to say, “I don’t know—you’ll need to speak to someone else”?

CC: Look, the rule of thumb is, if you’re going in front of the media, you need to know your stuff—especially if this is the crisis you’re dealing with, and it’s the subject of discussion. You need to know enough. But that doesn’t mean you have to be an expert or be expected to be an expert in every case.

The challenge—and this was definitely the challenge for TalkTalk as the crisis played out in the media—is that you can’t control the media. You can’t control what they’re going to ask. So all you can control is the when and how—decisions about when you’re going to communicate and how you’re going to communicate. Those decisions come back fundamentally to what. What do you know? What are you communicating?

If you look at the history leading up to this particular data breach, it’s clear that TalkTalk started on the back foot. They had a history of security incidents, and I think it’s pretty clear—based on some of the investigations they did themselves and talked about afterwards—that they didn’t have a good enough grip on security at the time.

Knowing that, I feel they definitely should not have been fielding Dido Harding in interviews to answer in-depth security questions. They should have kept it to clear statements and communications they could control—on their website or via emails to customers. They could have split out the CEO’s role of taking responsibility and fronting the crisis from the actual technical details.

But back to what happened: once you start down a certain road, it’s very hard to pull back. They started with Newsnight, which set a precedent for high-profile interviews, and after that, it became very hard to say no. They doubled down and kept doing them.

When you’re in high-profile situations like that, and you’re questioned extensively by the media, the instinct—especially if you’re trying to be honest and transparent—is to talk. As a result, you can either misspeak or reveal details you don’t intend, which is exactly what happened in this case.

TL: That’s so interesting. And, well, this is quite a hard question to ask and possibly a hard one to answer, but do you think the attack was worse because she’s a woman?

CC: I think it’s a really interesting question. To what extent was there an element of misogyny in the way she was treated? Look, the facts are: she was a woman running a tech company during a security breach, and the commentary at the time largely came from male security experts.

It’s also worth noting that the board was predominantly male. Dido and Tristia, who ran the consumer division and later became CEO after Dido left, were the only women on the board. There wasn’t a great deal of diversity within the company at that stage.

So, I think there may have been an undercurrent of misogyny, but Dido was a highly respected CEO, particularly in the sector. She generally came across very well in media and had a strong track record of stakeholder engagement. I think the handling of the crisis—starting with Newsnight and the communication strategy that followed—had a bigger impact on how the crisis was perceived than the fact that she was a woman.

KH: That’s so interesting because there were a lot of social media attacks as well, weren’t there? Tamara, I don’t know if you remember this, but there was that meme of her sitting in front of an old computer with a huge monitor, and people saying, “If this is the kind of technology they’re using, no wonder they had a breach.” Of course, the picture had been taken maybe 20 years earlier. It was just deeply unfair. And I do wonder if those kinds of attacks would have happened if she had been a man.

TL: Trolling was as brutal back then as it is now.

KH: Absolutely. But Catherine, I want to pick up on something you said earlier about her taking responsibility. You mentioned that the CEO should always do that, and she really did in front of the Select Committee. She was very reluctant to name her head of security—almost to a fault. She was pressed repeatedly on who was responsible for the day-to-day security of the organisation, and she eventually had to name that person. There’s a lot to admire in her trying to take responsibility, but was she right to do that? Should she have said it wasn’t solely her responsibility and also involved others within the business?

CC: I think she was right. Ultimately, as the CEO of a company, you are responsible for the organisation, the people in it, the culture, and how it operates. But you’re not solely responsible.

Where she was also correct, in my opinion, was in highlighting that the responsibility lies with the board as well. The board, which includes more than just the CEO, has a duty to ensure the right internal controls and risk management framework are in place.

There’s definitely a culture and scrutiny issue here. If you look at the history of security incidents, it’s clear there wasn’t enough board-level oversight of risk. For example, in their 2015 annual report—before the breach—there were only three mentions of cybersecurity, all within a very short section on principal risks. After the breach, in their 2016 annual report, there were 66 mentions of cybersecurity.

Before the breach, there were no mentions of cybersecurity in the chairman’s statement, the CEO’s statement, or the external audit comments. There wasn’t a board committee focused exclusively on security or risk. So, I think it’s fair to say there wasn’t enough board scrutiny, and that’s a collective responsibility. Ultimately, though, the buck stops with the board.

KH: That’s fascinating—I didn’t know that. It also explains something I noticed in the Select Committee interview. When asked if cybersecurity was a regular agenda item at board meetings, Dido stumbled a little. I imagine a lot of boards started putting cybersecurity on their agendas after this breach.

CC: Absolutely. In hindsight, it feels remiss, especially given the nature of the company and the level of customer data it handled. What makes it worse is the history of incidents leading up to this breach. Even without the seriousness of the 2015 breach, you would have expected the board to be scrutinising these issues more closely and prioritising them in earlier reports, not just after the fact.

TL: I’d love to jump back to Newsnight, if that’s all right. The first media interview sets the tone for how a spokesperson responds. Was Newsnight the right choice? How would you advise a client to deal with the media after something like this?

CC: Newsnight is not an easy first gig under any circumstances.

KH: Especially with Kirsty Wark!

CC: Exactly. You need a very brave, seasoned CEO who is also very well media-trained. To be fair, I think Dido was all of those things. But Newsnight wouldn’t have been my first choice.

There was immense pressure on them at the time, and it’s easy to say in hindsight that TalkTalk overreacted. Now we know it was a couple of teenagers in their bedrooms and only a small number of customers were affected. But they didn’t know that at the time. They wanted to do the right thing and warn customers quickly, but they were criticised for waiting 36 hours.

That said, it comes back to the what. How you communicate and in what format needs to be based on what you know. At that stage, TalkTalk didn’t know much, and going on Newsnight to say, “We don’t know anything, but this could be serious,” wasn’t the best approach.

By doing so many high-profile interviews, TalkTalk—and Dido herself—became the story, rather than the breach. She revealed details she didn’t intend, like about emails or encryption, and got some things wrong about the breaches. It kept the story alive.

I wouldn’t have chosen Newsnight. I applaud the sentiment behind acting quickly, but with so little information, a more controlled approach—holding statements and updates as details emerged—would have been better.

Going out too hard in such a public way, I think, as you say, effectively set the tone for the crisis.

Outro

You’ve been listening to “What Just Happened?” with Kate Hartley and Tamara Littleton. If you enjoyed the podcast, please subscribe, rate, and review.