How TalkTalk boss Dido Harding handled its big cyber attack

The MT Interview: The telco CEO speaks frankly about last year's data breach and its costly aftermath. Now, she's keen to get back to her day job - keeping mega-rival BT honest.

by Andrew Saunders
Last Updated: 11 Oct 2016

Photography by Julian Dodd

Like the competitive landscape in which her business operates, the view out of Dido Harding's glass-walled west London office is dominated by a looming presence.

'Know your enemy,' says the TalkTalk CEO, glancing at the jutting obelisk of the BT Tower a couple of miles away, the tallest building on the otherwise low-rise horizon, looking east from the unlovely Shepherd's Bush/Ladbroke Grove borders towards the centre of town.

The symbolism is almost too good to be true - BT is the incumbent dragon at which scrappy upstart telco TalkTalk tilts its lance, vigorously and often. To others the vista might grate, but like the Second World War general she says she wanted to be when she was a kid, Harding likes nothing more than to keep her opponents in plain sight.

With its megabucks splurging on TV rights on the one hand and much-pilloried broadband speeds and service on the other, BT certainly provides a generous underbelly to jab at.

But her latest gripe is as much with the industry regulator as with the FTSE 100 telco itself. Specifically Ofcom's decision to stop short of demerging BT's Openreach broadband business in favour of making it a 'legally separate' entity instead.

'I think there's a real danger that Ofcom is fudging it. It has opted for more regulation rather than going for what would have been a much clearer and simpler world in which Openreach would have been completely separate.

'We're still trying to understand what "legally separate" means. Is it going to be all the same people? Will it be any clearer how much money Openreach makes, and how much of that they invest in broadband and how much they simply hand over to BT to spend on buying football rights?'

Ouch. In a world where the medium and the media are increasingly converging, BT has its own competitive worries - that's why it's buying content like a Premier League manager buys players in the transfer season, but it's at the expense, say critics, of keeping the nation's broadband network fit for purpose.

The unflattering comparisons with Ukraine and Azerbaijan, both nations with more full-fat fibre to the premises connectivity (FTTP), are well known. (By contrast BT's chosen superfast technology is fibre to the cabinet, a semi-skimmed hybrid using fibre optic cables to the BT box at the end of the street, but existing copper wires for the last stretch to the doorstep. Cheaper to install, but neither as fast nor as future proof as fibre all the way.)

Indeed so vocal have Harding and her oppos at Sky and Virgin become on the need to 'Fix Britain's Internet' that the impeccably coiffed and usually genial BT CEO Gavin Patterson has been stung to write to all three complaining of 'Orwellian' tactics, misleading statements and accusing them of 'talking down' Britain.

Justified or otherwise, his intervention is likely to be taken more as a sign that BT is losing ground in the argument than anything else (indeed one of BT's own brokers, JP Morgan Cazenove, has just downgraded its shares to a neutral rating). Besides, says Harding, where is the customer in all this jockeying for position?

'If Openreach were separate, the competitive and moral pressure on it to invest in fibre would be immense. But until you create that distinction, the completely rational incentive for BT is to take the profits from Openreach and use them to compete in its other divisions.'

But even if it is being used as a cash cow, wouldn't splitting Openreach off just be too complicated? 'It's weird that the regulators have convinced themselves that demerging a company is so difficult when BT itself split in half when it sold off O2 (and indeed is in the middle of the £12.5bn union with EE right now).

'I run a demerged company, companies merge and demerge all the time. If BT were given no other option, I think they would find it relatively easy to do.'

It's classic David v Goliath stuff and she does it very well, with all the conviction that an energetic free marketeer can muster for a former state monopolist. Of course, BT bashing has been a national sport in the UK since the days of Busby and vandalised phone boxes, and it certainly makes a handy smokescreen for diverting attention from TalkTalk's own troubles. Not least one of the highest profile and most costly data losses ever suffered by a UK plc.

Just in case it's slipped your mind among all the Brexit hoopla, on Thursday 22 October 2015, the company took the unprecedented step of warning every one of its 4 million customers that their personal data may have been compromised as the result of a 'significant and sustained' cyberattack.

It quickly became apparent that neither Harding nor her fellow board members knew anything like as much as they should have about the state of their data security - not only did they not know exactly what or how much data had been lost, or who had taken it, but there was even confusion over such basic questions as whether the lost details were encrypted.

She is frank, if not entirely contrite, about their failings. 'We thought we were taking it seriously, outside experts were telling us we were taking it seriously. Patently we weren't taking it anything like seriously enough. One thing I think I know more keenly than any other British CEO is that every single one of us is underestimating the importance of cybersecurity.'

The cost of those mistakes has been high - as much as £60m and as many as 100,000 lost customers (many of whom jumped ship to BT). Profits for 2015 halved to £14m and shares lost nearly two-thirds of their value. The bid rumours that used to hang around TalkTalk back in the day are making an unwelcome return.

The attack was, she admits, a nasty surprise. 'I am a physical retailer by trade - if your shop is burgled you don't immediately think, "Is it North Korea? Is it the Mafia?" But with cyber you don't know initially whether you're dealing with a state actor, as they call them, a small-time criminal, an insider. I was thinking - none of my training has prepared me for this, I haven't got the pattern recognition to deal with it. You open up all these possibilities and you really feel like you are living in an episode of Spooks.'

All of which makes her decision to go very public, very quickly look straight out of the chapter in the crisis management handbook that no one wants to find themselves reading - the one headed 'Career suicide'.

Hear more from Dido Harding about life at the helm of a top telco at MT's Inspiring Women In Business conference

The advice of comms professionals in these situations is to stall and wait until you can be more certain - don't offer a hostage to fortune by admitting that you're in the dark too. Nevertheless, there she was on BBC Radio 4's Today programme the morning after the announcement, facing a John Humphrys grilling equipped only with answers that amounted to 'I don't know'.

Why did she do it? 'It wasn't a comfortable thing to do, but I am not paid to do comfortable things. We went into it knowing that customers would expect to be informed, and it rapidly became clear to me that it could take the experts some time to establish what had actually happened. We had to go public quickly.'

Harding faced a storm of ferocious criticism as a result, including demands for her resignation. She's even been called 'ignorant' and 'naive', surely the worst of insults for a chief exec who earned her spurs in the rough and tumble retail world where nous is highly prized.

'You have to have a thick skin if you think what you are doing is right,' she shrugs. 'If being open and honest with my customers is naive then it's fine with me. CEOs who hide behind that all-seeing, all-knowing veneer are playing a game anyway, it's not real. I am quite happy to be seen for who I am.'

A series of hastily prepared straight-to-camera videos seemed to compound the error, showing a hard-pressed Harding apparently fighting for her commercial life. 'They have been rather unkindly described as the hostage videos - I really don't look my best, and they do look as though I was being held prisoner in a DIY store.'

But in the end, she says, many customers appreciated what she was doing. 'The received wisdom is never to say you don't know, but actually normal people know that sometimes you really don't know. There were lots of opinion formers saying it was the wrong thing to do but I had a very large number of customers emailing me directly saying "Thank you and keep it up".

'I'm still here, living proof that sometimes it's OK to admit to your fallibility.'

A relatively young business - TalkTalk grew in the noughties out of a series of acquisitions including AOL's UK business, Tiscali and One.Tel, and split from Carphone Warehouse in 2010 - the crisis also provided a 'do or die' moment for the TalkTalk team to prove itself.

'When I got here six and a half years ago, no one said they worked for TalkTalk, they were all ex-something - ex-Tiscali, ex-AOL, ex-One.Tel. Now people are proud to work for TalkTalk - it's a roller-coaster existence, but I am intensely proud of that.'

She also had great support from her fellow directors during the cyberattack, especially chairman (and founder of both TalkTalk and Carphone Warehouse) Charles Dunstone. 'The board were amazing. Charles is a hands-on, roll your sleeves up kind of chairman and he was in here most of the time, he even brought his dog in one Saturday - a black lab called Nancy who was delighted because there were boxes of half-eaten pizzas everywhere. It was just what the team needed, something to cheer them up. The next weekend he went to Five Guys and came back loaded with burgers.'

How did she deal with the pressure? 'I come from quite a military family. My grandfather was the only territorial ever to have gone on to lead the British Army.' Field Marshal Harding was Chief of the Imperial General Staff in the 1950s.

'He had lost a few fingers and had shrapnel in his leg, he was about 90 and he used to say to me and my brothers that you can't be brave unless you're afraid. So it's deeply ingrained in me that courage is a necessary part of being a leader, that the right thing to do is to name your fears and face them.'

Riding racehorses must also have taught her a thing or two about fear and commitment (she owns the 1998 Cheltenham Gold Cup Winner Cool Dawn and was a keen amateur jockey for many years until her husband and fellow directors persuaded her it was too risky to carry on). 'I am intensely competitive and I love the chase. Horses know when you are scared and they lose confidence, so calmness under pressure is what gets you through.'

Diminutive, puckish and animated, she doesn't look like someone who's just survived the business equivalent of a near-death- experience. Go on, admit it - you enjoyed yourself, I say. 'The danger is that it's like a wine memory, you only recall the good bits and it matures with age. I sound like I was enjoying it now, but I've never been so scared in a business context as I was that first week. Really properly terrified.'

Now the adrenaline rush has died down and it's time to take stock. Revenues for the first quarter of its 2017 financial year are steady and while it lost 9,000 broadband and 23,000 TV customers year on year, it has also gained 48,000 mobile subscribers. 'On-net churn' - a measure of those who stopped subscribing altogether - has fallen a little, from 1.5% to 1.36%.

Her pay package has also proven robust - she took home a hefty £2.8m last year, although the majority of that was a payout from a maturing LTIP. She donated her £220,000 bonus to charity.

So despite the ignominious conclusions to the hacking saga - it turned out that 'only' 157,000 sets of details were lost, and the half a dozen spotty teenagers who were arrested in the end are nobody's idea of international masterspies - perhaps things could have been worse.

So it's time to get back to business as usual. That means a return to snapping, terrier-like, at the heels of much larger rivals - Sky, Virgin and BT of course. All of them with much deeper pockets - BT's annual revenues of almost £18bn are 10 times greater than TalkTalk's.

Isn't the truth that the company is stuck in the tricky middle ground - too small to be big and too big to be small? 'There are four big players in the market and we are one of them - 18 or 19% of UK households take a TalkTalk service. That's not a subscale business.

'We are more focused - take out the international elements of Sky and Liberty (Virgin Media's parent company) and we don't look so much smaller. We're also a value for money business - people spend less per month with us and we think that's a positive thing, it's what we're here for.

'We just have to do things smarter. You have to out-think your competition because they can always outspend you: the only reason TalkTalk is here in the first place is because a bunch of people who were not telecoms engineers worked out how to build a network at a price that meant we could undercut the market. If they'd had all the money in the world they'd probably never have thought of it.'

Take the superfast FTTP broadband network it is building in York, for example. It's a neat example of the never-say-die Harding approach: Openreach won't build a good enough network and Ofcom won't force them to, so we're jolly well going to try and do it ourselves.

'I've not got the balance sheet to roll out FTTP everywhere on my own, so I'll find a way of doing it that involves bringing other people in to help finance it.'

Building another broadband network from scratch when there is already one (or two depending on where you live) up and running may not be as daft as it sounds. In a world of quantitative easing and zero or negative interest rates, there is capital looking for good infrastructure investments to provide returns.

'It's not sexy software engineering, it's blokes - and it is mostly blokes sadly - digging holes, and doing it more efficiently and with less disruption, and therefore more cheaply. Our key target for York was to build it for less than £500 per house passed. Everyone laughed - BT were quoting £1,000 - but we're already under £500 and the cost is only going down.'

Talking of blokes on construction gangs, what about women in the boardroom - or rather the persistent lack of them? Having started her career in the high-octane world of McKinsey before climbing the retail ladder at Kingfisher, Tesco and Sainsbury's, she admits that her views on this have shifted.

'If you had asked me 10 years ago, I would have got all grumpy and said, "I'm a businessperson, it doesn't matter whether I am a woman." But now I have become more resigned to the fact that my generation are the ones who are going to have to do something about it.'

But she is not sure that signing up female non-executive directors as a 'quick fix' for boardroom gender balance is the right way to go about it. 'That's really dangerous, we're creating a dual career route for women, which means that a lot of female talent is lost to the executive stream.'

The problem, she says is that once you're on the NED circuit, it's very hard to get off. 'It's almost impossible to cross back again because you're not operational any more.' Instead companies should be trying to bring more women onto the Exco at a younger age. 'Last time I got a group of ambitious TalkTalk women together they said, "We don't want to talk about NEDs, we want to know how to get your job."'

The mother of two daughters, aged nine and 10, Baroness Harding (she's been a Tory peer since 2014) has equally trenchant views on parental leave. 'I like the Scandinavian way - I would have completely equal parental leave for men and women. But I am probably too right wing, I think there is too much leave, so I would have less. If you're out of the workforce for a year you are really a member of the long-term unemployed, with all the problems that brings with it.

'Look at the very senior women who run companies, I don't think any of us have taken that much leave. It's not because we are crazy loons but because we know we have to stay in the swim. I feel out of touch after a week on holiday, never mind a year's maternity leave.'

That holiday ended the day before we meet, and was spent in the Bahamas with her daughters and her husband John Penrose, MP for Weston-super-Mare and a keen saltwater fly fisherman. 'The thing about the Bahamas,' she says, clearly the veteran of many an angling vacation past, 'is that there is more to do for those of us who don't want to fish.'

She's no fan of the digital detox however. 'Oh, I work on holiday, but I certainly don't feel oppressed by it. I just don't see the boundary - I am just as likely to have the kids in the office on a Friday before we go down to Somerset (where the family home is). They are a good moderating influence, they'll say when we get home, "Mummy will you put the phone down now, please?" But the only person oppressing me, is me.'

The truth is that unlike those giant rivals neither she, nor the company she runs, is naturally very corporate. She likes that there are only 2,500 or so employees - 'you can put your arms round that'. She likes it when one of the men on her team says he's leaving early to pick up the kids - 'it's a better world where a man can admit that and no one bats an eyelid'. And she also likes that TalkTalk scores 'off the charts' on the employee survey question which says 'I can be myself at work'.

'It's much more fun being the underdog in a market where there are great big titans who we keep honest.' Ah, we're back where we started - all roads lead here eventually.

'BT is very fond of saying that we don't invest much compared to what they do: well BT invests more because we are here, if we weren't then their prices would be higher and they would invest even less. In a way we're here to be irritating, and I'm proud that the irritating challenger is still here.'


To convince potential customers that TalkTalk's cybersecurity is now really up to scratch

To get the share price back up to 320p,where it was a year ago

To have another winner at her favourite racecourse, Cheltenham


1967: Born in Germany; educated at St Antony's Leweston, Dorset, University of Oxford and Harvard Business School

1988: Joins McKinsey as a consultant

1995: Marketing director, Thomas Cook Group

1998: Joins Kingfisher Group

2001: Joins Tesco, becoming commercial director of added-value foods, then international support director

2008: Joins Sainsbury's operating board as convenience director

2010: CEO at the newly de-merged TalkTalk Telecom Group PLC

Oct 2015: Warns 4 million customers that their data may have been hacked

June 2016: Donates £220,000 bonus to charity

Hear More From Dido Harding About Life At The Helm Of A Top Telco At MT's Inspiring Women In Business Conference

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events