TalkTalk’s cyberattack piles on the pressure on financial targets

LONDON — Burdened with a poor reputation for customer service, facing increasingly fierce competition and under pressure to hit challenging financial targets, the cyberattack at TalkTalk could not have come at a worse time for the British telecom firm.

Chief Executive Dido Harding shocked customers last week when she said that the broadband, TV, mobile and fixed-line telephony services company had been hacked, potentially putting the private details of its 4 million customers into the hands of criminals.

The company has since said the attack was not as serious as first feared, with only some customers affected and the data not of the sort that would enable criminals to steal money.

But analysts say the cyberattack is likely to damage the firm’s reputation and require heavy spending to repair it.

“TalkTalk doesn’t go into this in the rudest of financial health, by any means,” Arete analyst Steve Malcolm told Reuters.

The hack is likely to compound what was already growing troubles at the firm, founded 12 years ago to target the budget market as a wholesale fixed line phone services subsidiary of mobile phone retailer Carphone Warehouse and demerged in 2010 after a series of acquisitions.

Two years later it launched TalkTalk Mobile as a virtual operator and also moved into pay-TV to better compete with BT, Sky and Virgin Media but has had to increase prices along with the rest of the market as the so-called “quad-play” market develops.

In a bid to reassure investors that it can continue to compete it has also set itself two challenging targets to be achieved by the full-year 2017 — improving its core earnings margin to 25 per cent from the 13.6 per cent it recorded in the last financial year ended March 2015 and growing its annual revenues on a compound basis by 5 per cent.

The market was already sceptical about the earnings target, with analysts’ consensus forecast for earnings at about £402 million for the 2017 financial year, well below the around £475 million the margin target would imply.

“One of the ways they needed to hit their targets was with lower churn numbers, higher customer additions and lower costs, so this probably pushes out their forecasts by a year or 18 months,” said Matthew Brennan, senior fund manager at Brown Shipley, which holds around 0.5 per cent of TalkTalk’s stock.

James Barford at Enders Analysis said TalkTalk would suffer reputational damage, which could hamper planned cost cuts,

“Given they were in a process of taking costs out of their operations, that would be interrupted at the least by what has gone on in the last few days,” he said.

If customers decided to look around for alternatives, they might discover that the gap between TalkTalk’s prices and those of its bigger rivals had narrowed, particularly with offers such as a year’s free broadband with line rental of £17.40 a month on offer from Sky.

Customers might be willing to accept poorer customer service and a perception of lower security standards if there was a big discount, but they would be less forgiving if the difference was marginal, one analyst said.

Meanwhile TalkTalk has made some improvements to its customer service but is still ranked behind its big fixed-line rivals, according to the regulator. While it has paused its marketing effort following the cyberattack it is likely to have to increase its spending in future to rebuild its brand.

Analysts said they did not have enough information to judge whether TalkTalk was at fault for the attack, but they did note that this was the firm’s third such breach this year.

UK data protection watchdog The Information Commissioner’s Office, which examines whether a company has properly protected personal data, said it was aware of the incident and was liaising with the police.

Two years ago the ICO fined Sony £250,000 after its PlayStation Network Platform was hacked in 2011, compromising the personal data of millions of its users. The maximum fine the ICO can impose is £500,000.

Released on bail

A 15-year-old boy arrested in Northern Ireland in connection with a huge cyberattack on telecoms company TalkTalk has been released on bail, police said on Tuesday.

The boy, who has not been publicly named, was arrested on Monday in connection with last week’s attack. It was one of the biggest in Britain and may have led to the theft of personal data from among the firm’s more than 4 million customers.

Police arrested the boy on the suspicion of Computer Misuse Act offences and searched his home — a small terraced property on a housing estate where the curtains were drawn on Tuesday morning, according to a Reuters photographer.

“A 15-year-old youth, arrested in County Antrim yesterday as part of the investigation into the alleged theft of data from the firm TalkTalk, has been released on bail pending further enquiries,” Northern Ireland police said in a statement.

News of the arrest, plus a hardline approach taken by the firm to customers wanting to leave their contracts without paying a penalty, helped shares in TalkTalk rebound from a sharp fall in the wake of the attack.

The company told customers they would have to pay to leave their contracts early unless they could show money had been stolen as a direct result of the hack.

The company has said that credit and debit card numbers were protected, and any bank account details that were stolen were not sufficient for criminals to access accounts.

“In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber attack [rather than as a result of any other information given out by a customer] then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees,” it said late on Monday.

The move upset many TalkTalk customers, who complained on forums on the company’s website, but will relieve investors worried that the group would face an exodus of customers if it waived charges.

The attack, which experts said seemed to use well-established and unsophisticated hacking techniques, will, however, prompt questions as to how strong the firm’s security was, especially as it was the third such incident to hit the firm this year.

Experts believe the website was hacked into via a SQL injection technique, which typically inserts malicious code into an entry field of a Web form in order to seize control of the database underpinning the site.

A Distributed Denial of Service (DDoS) attack, in which thousands of infected computers are targeted at a particular computer or website, could have also played a role, but mainly as a means of distracting the company’s security personnel.

“DDoS and SQL injection attacks are relatively unsophisticated,” said Graham Cluley, UK security expert, adding that they were relatively simple to pull off.