So, these things always happen on a Saturday, don’t they? The main local newspaper contacted the Phonia PR department because they were about to publish a story. The police were involved because of the implications for crime. The security services were worried because, as they saw it, there were implications for espionage. Unfortunately, security has a nasty habit, if you don’t look after it, of coming back and biting you.

Narrator

Many organizations still struggle to understand and manage cyber risk. They tend to see it as a purely technical problem to be left to IT specialists. Richard Knowlton knows this very well. It is one of the many challenges of his job. With his deep experience of security risk management in governments, multinational organizations, and in international business, he has solved hundreds of cases in which cultural attitudes towards cyber security matters played an important part.

The story he is telling to Segreta occurred some years ago to a huge phone company that he wants to keep anonymous.

Richard Knowlton

In the early 2000, telephone companies really had a license to print money. They attracted the best and the sharpest of marketeers, salesmen and accountants. And the common business model was that a telephone company ran on a strict matrix principle with lots of local CEOs and executive committees who had full responsibility and independence from any sort of group control. So, at that time, and this is the time when the story took place, there was a combination of a kind of buccaneering culture and an unwillingness to take any guidance from outside. That certainly didn’t make life easy for people trying to run security at the time.

Narrator

This is a true story. The story of a scandal that involved millions of customers and also raised to national security affair. It all started big with a massive undertaking.

Richard Knowlton

I’m not using any names, obviously, so as not to embarrass anybody. And also, it’s a story from some years ago, so it’s not actually current. So, the story started when this company, which I’m calling Phonia, and a local rival telecoms company decided to form a joint venture.

Narrator

They wanted to compete against the market leader in their sector. And with the best will in the world, mergers take up a huge amount of executive time and attention.

Richard Knowlton

And in fact, it’s important to say that the Phonia Chief Executive Officer his first announcement was that his first priority was around people and getting the organization and the organizational structure sorted out. So, in other words, the business from the beginning, this new joint business, was focusing on internal matters and not client issues. It also, and this is important later in the story, there was quite a degree of low staff morale.

Narrator

There had been a high turnover of staff especially in the shops, which are the key to the story Richard Knowlton is telling us.

Richard Knowlton

The Phonia local customer database was, of course, accessible from inside the corporate network, but it was also accessible from the Internet so that it could be used from the Phonia retail outlets, mainly a chain of shops. But the passwords which gave access to the customer database were only changed every three months and there was very poor morale in the shop. So in other words, you had a situation where staff were changing regularly. Some people only stayed a few days and then moved on and they had access to passwords to the most sensitive database in the company in a situation where the password was not changed at all regularly.

There were major concerns in the Security Department about the insecurity of the customer database, which in telephone companies we really could regard as the crown jewels of the company, because it’s containing all the personal details of clients, their credit cards plus records of all of their calls, which is, of course, incredibly sensitive.  And the company at that time of the integration was also experiencing high levels of fraud.

Narrator

The security director was regularly reporting the problems he saw to the company’s audit committee and was drawing up detailed, costed proposals for addressing the security issues, which he was seeing with his own eyes.

Richard Knowlton

And the problems began at this point, I think because the focus of the company simply wasn’t on those issues, it was on the ones that I described at the beginning. So the audit committee said, okay, that we understand what you’re saying, but we’ve got other priorities And unfortunately, when you work in corporate security, that’s not an uncommon attitude. The problem with security is it costs money, it complicates things and it slows things down, seen from a business point of view. And there were also, frankly, some structural issues on the security side as well. The security function was quite low down in the management chain. It didn’t have direct access to the CEO or to the executive committee, and it certainly wasn’t assertive enough and I think that was probably a cultural issue to do with the background of the people who work in security. And not surprising me all of this, of course, as a result of the lack of attention and the lack of priority that was being given to them, the security team was feeling pretty demotivated.

Narrator

Sometimes the attention of the media can be unwelcome and create problems for a business, but there are also times when the media shines a light and helps both the public and businesses.

Richard Knowlton

So, these things always happen on a Saturday, don’t they? But very early on a Saturday morning the main local newspaper contacted the Phonia PR department because they were about to publish a story about the lack of customer data security in the new Phonia, and they wanted a comment from the company, very classic. And in this situation, what had happened was that a well-known local investigative journalist had got a tip about these weaknesses from a disaffected temporary employee of Phonia. So, this investigative journalist was able to sit in a cafe and she’d been able to download customer data, including her own and that of her partner, who and this was a nice twist in the story, her partner happened to be the local police chief. So, there was a perfect media storm, as you could imagine.

Narrator

All this brought a swift reaction from a number of different authorities.

Richard Knowlton

The police were involved because of the implications for crime and particularly for fraud, of being able to get easy access to this database. The security services were worried because, as they saw it, there were implications for espionage if there were hostile state actors who could easily access these databases. There was a legal risk because of the possibility of large-scale transactions, and not least there were regulatory issues involved because there was a breach of the license obligation on Phonia to ensure the security of this customer’s data. There were fundamental privacy issues. In other words, not least for political reasons, because as you could imagine this also caused a huge political storm in the company, given that the two companies had recently merged into one.

Narrator

They were trying to integrate two companies, which is always complicated, but here they were actually running fairly different systems and the service to clients declined rapidly in every sense as we can gear in the satirical TV Live On Stage.

Richard Knowlton

I have some sympathy for the CEO of the company and his top executives. They were taking on something which was already an enormous undertaking. And you can say, okay, it’s understandable that they weren’t paying attention to security. But unfortunately, security has a nasty habit, if you don’t look after it, of coming back and biting you. And this is a classic case of what happened.

Narrator

Not so pleasant to be in the middle of this storm of attention. How to fix it all?

Richard Knowlton

Well, in the end fixing the problems, and this was the irony, wasn’t actually very difficult. Some of the background problems were more difficult. The immediate thing of ensuring proper password security, not that just every shop had one password for perhaps ten employees, but each individual had a password of his or her own. It was a fairly easy thing to fix. But in the longer term, the problems, of course, that had to be faced were how do we manage this sort of situation in the future? The company, even when it was two separate companies, had absolutely no experience of running crisis management exercises regularly, just so that they could think about what their priorities would be in this sort of situation. But of course it needed an enterprise wide response because you can imagine all of the departments that were involved in trying to manage this. There was HR, there was internal communications trying to reassure staff about what’s happening. Messaging among your own people. There was the external communications piece managing the press storm that was going on in the background and the legal department was involved in regulatory issues, but also potentially with litigation. And of course the poor market is in the company were trying to sell services to a public who are very, very skeptical about them. So, to me one of the fundamental lessons of this was the essential need for a proper, coordinated and also regularly practiced crisis management plan that involves all these different parts of the business.

Narrator

The human skills aspect impacts upon various components of this story. Why were workers dissatisfied with the company? What could they be doing better to make the security department work closely with their management and be listened to?

Richard Knowlton

Getting face time with top management is something which is not taken seriously enough in security traditionally from one side, from the executive side, as I said before, security is seen as something that adds complication, cost and unnecessary time. And so developing that personal relationship with the people at the top of the company for security manager is absolutely fundamental. And there I think I was able to give some tips and based on my experience.

Narrator

A big, big problem with – all considered – small consequences. Could something like this happen again?

Richard Knowlton

I would like to think no. I think with the advent in Europe, but also more widely of legislation like GDPR, for example, people are now much, much more aware of customer security issues, customer privacy issues.

Narrator

GDPR – the General Data Protection Regulation – is a 2016 European Union regulation governing data protection and privacy. With it the European Commission aimed to strengthen the protection of personal data, giving control of it back to citizens.

Richard Knowlton

But again, if security is not integral to the business and working closely with top management, there is always a risk that it could happen again.  Well, in this particular issue the company was already losing market share heavily. I think in the course of one year it went in a in a public annual survey. It went from being the 35th company to being the 60th company in terms of customer trust, which is a huge hit for any company. So reputation is absolutely fundamental. If you don’t look after your customers and if your customers don’t trust you, then you don’t have much future as a business, in my view.

Narrator

All ended well in this story. Nothing really serious happened to costumers data; no one was blackmailed; there were no espionage cases, no external attacks on the country. But the lesson it leaves behind is a big one. Never underestimate the importance of cyber security. If neglected, it has a nasty habit of gaining attention with a bite.

Segreta is a podcast by 36Brains. You can listen to it on all major platforms.

36Brains is a corporate intelligence and forensic investigations company, and Segreta is its narrative podcast. Each episode tells the story of a case in which the use of technology, interpersonal skills, and cutting-edge investigative techniques uncovered a financial crime. The cases illustrate some of the techniques that 36Brains deploys. A potent fusion of innovative technology and a cadre of brilliant, young intellects.

This podcast was written and edited by Federica Manzitti; the sound designer was Cristiano Cervoni the voice of the narrator was Georgia Walker; the music was by Bertrand Chaumeton.

A special thanks to Richard Knowlton who, among other board and advisory positions, is Director of the Cambridge Cyber Centre, and an Associate Director of Strategia Worldwide.

In the next episode we will hear the story of a young ambitious manager: a story of manipulation, of telephones ringing, and celebrations quickly turning to despair.