back to article TalkTalk: Hackers may have nicked personal, banking info on 4 million Brits

TalkTalk is in the process of telling its four million subscribers that it has fallen victim to a “sustained cyberattack” – and it is possible that personal information including bank details have been pilfered. The UK ISP took down its website yesterday, telling us this was not related to a broadband outage, and the site …

  1. AJ MacLeod

    I bet this has been going on far longer than just yesterday. I know I've had TalkTalk customers tell me in the past week or two they've been phoned by the "windows support" type scammers claiming to be from TalkTalk and able to provide all kinds of (correct) account information when challenged.

    I wonder if this has also affected TalkTalk Business?

    1. Chris Miller

      The TalkTalkBusiness.co.uk site is working normally, FWIW.

      1. Starace

        As far as I can tell everyone got pushed into the same billing system including 'legacy' business customers, so that website is really just an advertising portal.

        1. Chris Miller

          No, the billing systems for TalkTalk and TalkTalkBusiness accounts remain quite separate (I have both). Some (mainly SOHO) business accounts did indeed get transferred to standard TalkTalk operations, as you describe.

          1. Anonymous Coward
            Anonymous Coward

            As part of Project Cola, one man band businesses were transferred from TT Business to TT Residential.

            1. vagabondo

              transferred from TT Business to TT Residential

              This seemed to happen quite randomly about two years ago. We had one direct debit payment account transferred, but not three others.

              If you call TalkTalk Business they will transfer you back, but is similar to transferring from another unrelated supplier and you may have to set up the payment system again. You have to wait about two weeks and fend off the "please don't leave, would you like a discount" call from TT Residential. You will lose any fixed IP addresses (but if you have a technical problem then they get be converted to dynamic anyway -- that's how we discovered we had been transferred).

    2. psychonaut

      going on since tuesday at least. website was down on tuesday, their pop/imap "email" has not been working correclty either (i have customers who use that shit unfortunately)

      oh, and one of my customers said that shortly after contacting (genuine) talk talk on 2 occasions recently she got a call back soon after from scammers pretending to be from talk talk.

      on the other hand, not sure how you differentiate scammers from talk talk they both seem to do the same thing.

      1. psychonaut

        just read on the bbc that in february, lots of customer data was taken, including phone numbers...which lends the truth to the scammers phoning people up pretending to be talk talk with their account details.

        1. Salts

          BBC reports this is the third attack in 12 months, good to see a company learning by it's mistakes.

          1. Chris Miller

            You can't do much about being attacked (especially DDoS) - some of my clients get 'attacked' several times a month - it's how strong your defences are that's relevant.

            1. Salts

              @Chris Miller

              Sorry, let me clarify "third successful attack in 12 months", weak defences me thinks :-)

            2. AlbertH
              Mushroom

              It's NOT the DDoS that's caused the problem - it's the SQL injections that allow the data theft. TT are stupid in that it wasn't encrypted and you can be sure that their OSs and software are several patches behind the curve!

      2. Anthony Hegedus Silver badge

        When you say their pop/iap has not been working correctly, I take it you mean it suddenly starts delivering mail within a minute of it being received, or some such weirdness?

        Talktalk certainly scammed us when we re-sold their business broadband.... nothing wrong with the broadband itself but their billing systems were so crap as to defy belief.

        1. psychonaut

          not working correctly....just plain not working for hours, weird issue where one customer got about 400 folders created called "inbox 1", "inbox 11", "inbox 111" etc

    3. Anonymous Coward
      Anonymous Coward

      Oh dear.

      Fucktards on the starboard bow, Scotty beam me up.

    4. j0nn13

      I know someone this has happened to as well at the start of the week. After she got suspicious and I had a look into it, suggested she speak to the police who told her that hundreds of people were reporting the same thing.

  2. Anonymous Coward
    Anonymous Coward

    What about ex-customers?

    I stopped being a customer of TalkTalk in August of last year. I wonder if

    a) they still have my details on file

    and

    b) whether, as I'm an ex-customer, they'll bother to contact me to tell me if they've been stolen.

    1. allthecoolshortnamesweretaken

      Re: What about ex-customers?

      My guess would be

      a) yes

      b) no

      1. cantankerous swineherd

        Re: What about ex-customers?

        I'm guessing you're right on the money.

      2. Star

        Re: What about ex-customers?

        Yup, the only customers Talk Talk care about is potential customers.

        The only reason they're trying to be seen as doing something for existing customers - far too late by the sound of it - is because they couldn't hide it from those potential customers anymore.

        They certainly couldn't give a toss about ex-customers.

    2. Anonymous Coward
      Anonymous Coward

      Re: What about ex-customers?

      a) Yes, they certainly (used to at least) keep accounts for all ex-customers. As I recall you would just be an account holder with no active products.

      b) Given the talk of "4 million" customers, I suspect they won't be contacting ex-customers.

      Perhaps El Reg can seek clarification on behalf of the millions of former customers?

      1. Anonymous Coward
        Anonymous Coward

        Re: What about ex-customers?

        I highly doubt they have deleted the data of ex-customers. I am a customer of TalkTalk business (and am posting anonymously because of this which I normally never do). They clearly have my password stored in a retrievable format because when I have called them they have asked me to say it and then they obviously compare it to what they see on screen. (They do not ask for the Nth letter or any of that, for what it's worth). Furthermore when I haven't been able to remember the password exactly (it has a number sequence on the end), they have said "close enough" and proceeded to deal with my enquiry. Note, this is their customer support password asked for when making tech support or billing enquiries. I've no idea if it is also the password to log into my online account with them as I never use that, but I would be unsurprised if it were.

        I'll be checking my Inbox shortly to see if they have communicated with me about this, but I'm not impressed that I'm learning about this on El Reg instead of from them (there was nothing from them there last night).

        1. h4rm0ny

          Re: What about ex-customers?

          I highly doubt sympathy will go down well right now and I'm not exactly going to let them off the hook, but I did just watch the BBC interview with Dido Harding from TalkTalk and to be fair, she came across extremely well given the circumstances. Interview.

          1. Tim Jenkins

            Re: What about ex-customers?

            " she came across extremely well given the circumstances"

            Rather less well just now on 'Today', where her reason for not being able to tell customers if any potentially exfiltrated personal datasets are encrypted was that 'TalkTalk systems have millions of lines of code'...

          2. chris 17 Silver badge

            Re: What about ex-customers?

            her media training was definitely put to the test by Charlie from BBC breakfast this morning. I felt a little sorry for her as a person.

            Assuming the customer details and card numbers where unencrypted hence hackers able to take them, why did they not have systems in place to safeguard that data? Rely PCI/DSS rules should mean that data is not retrievable in an unencrypted form? if encrypted, the keys should be on separate access controlled systems. If they went to those lengths and hackers stole the encrypted data and all the keys, why was their not a system in place to notice the leak of their most precious data?

            Lots of questions to answer here especially as they got hacked earlier this year and should have been prepared.

          3. jonmorris

            Re: What about ex-customers?

            She'll have been no doubt briefed on how to act, and to play the open and honest, nothing to hide, hey I;m a victim too line. I think it's good she's spoken to the media (this time) but I think she's misjudged the anger - and saying she's a victim too won't get her or the company any sympathy when it's the THIRD time it's happened (at least).

          4. michaelkeay

            Re: What about ex-customers?

            She didn't come across well to me. Crying "Crime of the times" nonsense and "its not just us".

    3. jonmorris

      Re: What about ex-customers?

      Yes they will - people got the scam 'PC hack' calls even when they'd left ages ago.

      And even current customers, like me, aren't getting contacted.

      As it's the third time, I have NO sympathy at all now. And Dido Harding saying she's a TT customer and has been a victim too just makes me even more angry. I mean, if she had something to lose then shouldn't she have been making sure the defences were rock solid. Or robust? That's a word she's been using, which is laughable.

      I mean, what's left to protect now?

      1. Anonymous Coward
        Anonymous Coward

        Re: What about ex-customers?

        And Dido Harding saying she's a TT customer and has been a victim too just makes me even more angry. I mean, if she had something to lose then shouldn't she have been making sure the defences were rock solid.

        Well don't forget that most of the customers are proles, who's only contact with their bank is via a low powered call centre worker, or a teller at the counter. With Ms Harding's multi-million pound package, she'll be with somebody like Coutts, and whoever the bank is, they'll have assigned a "personal wealth manager" to slobber over her and keep a beady eye on her account security. She doesn't have anything to lose.

    4. AlbertH
      Paris Hilton

      Re: What about ex-customers?

      You can be absolutely certain that your data has been stolen. TT are clueless about security

  3. Roger Greenwood

    Yet more reason . . .

    . . . to give false DOB etc. It's a matter of "when" not "if" where commercial entities are concerned.

    You can change your bank etc, but personal info more difficult.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet more reason . . .

      Then you fail on the credit check as they won't match your real details.

      1. Roger Greenwood

        Re: Yet more reason . . .

        "fail on the credit check" Fair point, but then maybe they weren't doing that either.

      2. vagabondo

        Re: Yet more reason . . .

        "Then you fail on the credit check"

        Why do you need credit from an ISP? I always use 01 01 1970 when asked for any date (or you could use anyone else's dob that you can remember) apart from to my bank.

  4. allthecoolshortnamesweretaken

    "The ISP admitted that “unfortunately” there is a “chance” that some customer data including subscribers' names, home addresses, dates of birth, phone numbers, email addresses, bank account info and credit card numbers have been accessed by hackers."

    Why, in my mind, does this translate into 'all of our customer's data has been compromised'?

    1. Doctor Syntax Silver badge

      "Why, in my mind, does this translate into 'all of our customer's data has been compromised'?"

      And why does all the stuff about constantly updating systems seem to be missing 'in the future'?

      1. teebie

        "Why, in my mind, does this translate into 'all of our customer's data has been compromised'?"

        Because you give TalkTalk too credit. It really means "we have no idea which of our customers' data has been compromised. It could well be all data for all customers, but we don't know, and never will"

    2. a_yank_lurker

      Corporate doublespeak which means we screwed up so badly that hackers downloaded our unencrypted customer database using SQL injection. In plainer English we are idiots with computers.

    3. Rusty 1

      If such information has been really been lost, the next annual PCI DSS compliance review will be a real doozy. Popcorn and peanuts at the ready!

      1. mark 120

        Their next annual review may well be beginning today, starting with a knock on the door from serious lookg audit types with forensic investigators in tow. If Talk Talk didn't tell their acquirer / Visa / Mastercard they'd been breached right away, then a very dim view will be taken.

    4. A Non e-mouse Silver badge

      Why, in my mind, does this [chance] translate into 'all of our customer's data has been compromised'?

      Because the press release was written by PR monkeys trained to downplay anything bad, but you're a hardened geek who can see through the PR B/S at fifty paces?

    5. Anonymous Coward
      Anonymous Coward

      At least they spared us the usual "we take the security of our customers seriously .... Etc"

      It won't stop until fines for all breaches where data was taken having not been properly secured are eye watering to the point of making shareholders really feel the pain.

      1. chris 17 Silver badge

        @AC

        "It won't stop until fines for all breaches where data was taken having not been properly secured are eye watering to the point of making shareholders really feel the pain."

        Define properly secured?

        is there some accreditation they need to meet before they can be fined? I'm fairly sure their accreditation boxes will be found to be ticked, including insurances to cover their costs in this kind of event. the insurance wont cover the cost to their reputation though which is what will truly heart them.

      2. Tiger Bay Cyber

        New EU Data Protection Regulation

        The draft EU Data protection regulation should sort that out €100M or 5% of global turnover fine for a serious breach (assuming this does not get watered down in the behind the scence horse-trading / lobbying).

      3. This post has been deleted by its author

    6. Frank Bough

      Re:

      ...because you are a realist with experience of dealing with PR bullshit?

    7. AlbertH
      Mushroom

      Why, in my mind, does this translate into 'all of our customer's data has been compromised'?

      Why do you think lots of lawyers are carefully examining TT's Contracts. They're going to be sued out of existence!

  5. Anonymous Coward
    Joke

    They can TalkTalk

    can they WalkWalk? Or will their customers do so?

    1. Anonymous Coward
      Anonymous Coward

      Re: They can TalkTalk

      or FOADFOAD?

    2. jonmorris

      Re: They can TalkTalk

      I'm off. I was quite forgiving the first time around, despite having the scam calls and feeling angry for those people who might fall victim to them (and TalkTalk not having told me or anyone else by email, or by post, to be on our guard).

      Now it has gone beyond that. I have a moral duty to boycott them, but admittedly I won't go until I seek out a good alternative. I'm not going to be further inconvenienced because of them. Rest assured though, in a month or two I won't be a customer of theirs.

  6. WillbeIT
    Facepalm

    Apathy

    It is astounding how numb the general populous is about this continual tide of massive breaches of private info right around the world. W[here]TF is this going to go.

    1. Dadmin
      Happy

      Re: Apathy

      Right into the toilet, it's going!

      Seriously, I was chatting to an acquaintance last night about this very thing. Back in the early Internet days, no one needed to protect anything because there was not the sort of general admission to the Internet that there is now. A password was good enough, and only network wizards could afford a network sniffer, and then it was huge and he needed to be nearby. You needn't worry about security or protocol vulnerabilities because only people from universities, big corporations and our friendly gov and mil users were on the net. Who knew?

      Anyway, it never ends. There will always be people putting out sub-standard products in terms of security. There will always be some grandpa who doesn't secure his net and laptop so they will be the first to join their botnet. There will always be some goofy IT boss who once was an admin for a few months, and every idea that plops out of them will be GOLDEN, until it's tested then they should be fired for their part in the breach. Anyway, there will always be someone smarter than ourselves trying to figure out how to break into a consumer wifi through an online teapot. There will always be governments who hoard zero-days rather than inform the manufacturer. There will always be a need for security people to charge US$100+/hr for their services to clean up with all of the above collectively fudged up together. Always.

      1. Smoking Gun

        Re: Apathy

        Re your first paragraph my Dad said the same thing, when he was working at BT "back in the day", he never had issues like this, never had a data breach on his Amstrad or floppy disk, the "world is too complicated now" he said. But you couldn't see what your mate had for dinner on Facebook, I said. In truth I figure he has a good point, wasn't the world better when we just met each other, talked, and did business with hard currency and spit on your hand.

    2. Anonymous Coward
      Anonymous Coward

      Re: Apathy

      "It is astounding how numb the general populous is "

      Populous (adjective) = having lots of people

      Populace (noun) = the population << You want that word

    3. NightFox

      Re: Apathy

      Let me change your post:

      Apathy

      It is astounding how numb BUSINESS is about this continual tide of massive breaches of private info right around the world. W[here]TF is this going to go.

      If I was CEO of any large company, the minute I saw something like this in the news I'd have my CISO in front of me and I'd be demanding assurances that all our data was encrypted etc

      1. Anonymous Coward
        Anonymous Coward

        Re: Apathy

        Before you could do that you'd need to have a CISO.

        I've worked in software development for over 20 years. Only one software development firm I've worked with had an infosec officer and they went bust at the turn of the century. It is rare to work with a CTO that has a clue about security,and even rarer to work with a development manager / procduct manager / project manager that knows their hashing from their encryption.

        (Posting anon since my current employer is actually OK at this, and I don't want them tarred with this brush).

      2. Anonymous Coward
        Anonymous Coward

        Re: Apathy

        Encryption of data only counts if the hacker only has access to the binary data of the databases. If someone is in a live system and can query a database, then depending on the privileges they've managed to get then they own your data.

        I'm increasingly wondering why personal data is allowed near the edge of the network anyway. It might be a bit inconvenient for me not to be able to check which bank account number I used but it would be a damn sight safer if that data was push only.

  7. Anonymous Coward
    Anonymous Coward

    They have a lame ass recruitment process that uses txt to columns, what did they expect?

  8. zaax

    One of the questions is why do they want a DOB?

    The main question how did they get it if all the information was hashed?

    1. Doctor Syntax Silver badge

      "One of the questions is why do they want a DOB?"

      Because this piece of information which people are asked for in all sorts of circumstances is a shared secret between themselves and their customers to help identify said customers?

      1. Rich 11 Silver badge

        a shared secret between themselves and their customers

        ...and anyone in the world who cares to look on their Facebook page.

    2. Anonymous Coward
      Anonymous Coward

      Credit check.

      1. Doctor Syntax Silver badge

        "Credit check"

        In that case they don't need to keep it. If that's the only reason and they keep it anyway they fail data protection principle 5: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

        That, of course, is in addition to failing 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

      2. Trigonoceps occipitalis

        Also for targeted advertising - much more important.

    3. werdsmith Silver badge

      In order to differentiate one zaax from another zaax they need more information.

      To create a compound unique key of sorts.

  9. cantankerous swineherd
    Trollface

    have we heard whether securing customers data is their number one priority? I'm getting worried that big payouts for directors were more important; could we have some reassurance on this?

  10. Anonymous Coward
    Anonymous Coward

    HAW HAW! But seriously, thats not nice. Naughty Naughty. TalkTalk? Is their IT dept run by Homer Simpson?

  11. scrubber

    The Met

    Why don't the Met just fuck the fuck off? These cunts are democratically unaccountable and are focused on companies not subjects (we're not citizens let alone equals, wake the fuck up!)

    Just sayin'

    1. Anonymous Coward
      Anonymous Coward

      Re: The Met

      'ad your collar felt recently guvnor?

      I'm no fan of the rozzers, but c'mon...

      1. scrubber

        Re: The Met

        Oops, my bad, I was thinking of the city of London police...

    2. Steve Davies 3 Silver badge

      Re: The Met

      'Scrubber' eh?

      That what we used to call (showing my age) teenage girls who slept around until their mini-skirts were so short you could see their knickers as they walked along the street and got a visit to the local nick via a Plod Wagon. An apt handle then?

      Perhaps you might like to ... Nah, not possible.

  12. Grubby

    Residential, small business and ex-customers

    All residential, small business and ex-customers' data is stored in the same system so if they have managed to get one set of data they will have probably obtained all as it would actually be easier, once in, to take everything than to identify specific accounts.

    I wonder if the government will be doing anything about companies holding (and losing) the data of people they don't even provide services for anymore. Oh noooo... Dido is married to one of Mr Cameron's friends in government. What are the odds, a guy is a member of the party that leads the country, and his wife gets offered a job to lead one of the biggest communications companies in that very same country. Some people get all the 'luck'.

    1. Anonymous Coward
      Anonymous Coward

      Re: Residential, small business and ex-customers

      As the old saying goes, it's not what you know but who you sleep with.

  13. Tim J

    Who's next

    Today TalkTalk... tomorrow BT, Virgin Media, Sky, Zen, Andrews and Arnold, Vodafone, EE, HSBC DVLA, HMRC, HM Passport Office, GCHQ...?

    1. david bates

      Re: Who's next

      Plusnet, despite storing passwords in cleartext have ASSURED me on numerous occasions that their systems are secure. The last livechat bod could see no reason why they would be hacked, and that my details were completely safe. I sleep soundly knowing that.

      I've kept that livechat, and all the emails...just in case.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who's next

        "Plusnet, despite storing passwords in cleartext have ASSURED me on numerous occasions that their systems are secure. "

        Idnet, despite storing passwords in cleartext have ASSURED me on numerous occasions that their systems are secure. Yes, really.

  14. Peter Prof Fox

    Date of birth

    Why the hell does an ISP know date of birth?

    Somebody explain.

    1. DarkOrb

      Re: Date of birth

      Credit checking.

      1. Steve Davies 3 Silver badge

        Re: Date of birth

        And once they have done one what justification do they have for keeping it?

        Perhaps they want to send you a Birthday email/text/song?

        I'd like the T-T bosses to explain why all that data was so easily accessible via their webServer AND that it was in plain text. This is IMHO a criminal act. Jail time beconing?

        1. Anonymous Coward
          Anonymous Coward

          Re: Date of birth

          This is IMHO a criminal act. Jail time beconing?

          What do you reckon? AFAIK there's no offence of "criminal stupidity" or "corporate incompetence". They'll report themselves to the ICO, but even if the ICO opens an investigation and then fines them, he can only levy penalties up to half a million quid. Last year Ms Harding's remuneration was a tad short of seven million quid, so she wouldn't notice if the ICO fine was the maximum allowed, and she had to pay it herself. Enjoy that thought when the scammers are pestering you on the phone, or applying for credit in your name.

          As chief executive, the buck stops with her, and the board nominations and audit committees for their collective failure to appoint the right IT people, and to keep data safe. But who really thinks these useless fat cats will be held to account?

      2. Doctor Syntax Silver badge

        Re: Date of birth

        @DarkOrb

        "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes."

        So if you only took DoB for credit checking you've failed on that data protection principle.

      3. Trigonoceps occipitalis

        Re: Date of birth

        Also targeted advertising.

  15. Gordon 10
    Devil

    Class action

    The new Consumer Rigts act allows for the first time Class Action style lawsuits in the UK. Who wans to join the test case?

    Unleash the hounds!

    1. Anonymous Coward
      Anonymous Coward

      Re: Class action

      Class actions have only been introduced for competition cases. So no help here.

  16. A Non e-mouse Silver badge
    Joke

    Talk Talk [are] “constantly updates its systems” to protect against the “rapidly evolving threat of cyber crime"

    Translation: "Every month we change the root password (password1) by adding one to the digit."

    1. Jo_seph_B

      -and then change it back to password1.

    2. Trigonoceps occipitalis

      After 3 Months?

      Password = digitoneoneone

  17. Exabyte

    Where are the NCA in all this?

    I seem to remember seeing someone on the BBC from the NCA cyber crime unit talking tough a couple of years ago.

    It was all "you can't hide from us new ultra-rozzers" nonesense but seriously, where are they?

    I thought that the Met cyber team were folded into them, much to their apparent annoyance. Have they created another Met e-crime (again)?

    Mr Wikipedia tells me that the NCA has a whopping £464M budget but I don't see them anywhere.

    Seems like it's time for another NCA interview to put the fear back into the crims.

  18. Anonymous Coward
    Anonymous Coward

    Surely GCHQ, with all their access and data storage, could have prevented this?

    Or now that the 'attack' has been found, GCHQ (NSA, etc) can all look at the 'metadata' they've collected and quickly identify the bad guys?

    No?

    Have to wonder why it's all needed then...

  19. Anonymous Coward
    Anonymous Coward

    Not at all surprised

    I was a customer of theirs about 5-6 years ago, most technically incompetent ever was sincerely glad to be rid of them (was with another ISP who they took over).

    From what's being said their data wasn't encrypted, in the case of credit card information this could make them liable to fines in the millions for breaching the PCI regulations if that's the case (credit card data must be encrypted from end to end.)

    1. tiggity Silver badge

      Re: Not at all surprised

      Although there are a few minor loopholes e.g. PAN (i.e credit card number) may be long term stored unencrypted but *only* if various adequately robust compensatory security controls in place - and obviously compensatory measures were inadequate based on what has happened. So you would expect a big fine (without action it's also a massive disincentive for everyone who spend time & money keeping up with regulatory requirements)

  20. Ken Moorhouse Silver badge

    Extract of email sent to TalkTalk 26.8.15

    Email sent to Divya "talktalk.cashprocessing@talktalkplc.com" <talktalk.cashprocessing@talktalkplc.com>

    "I write regarding the phone conversation I had with you a few minutes ago concerning my client who was scammed yesterday by a caller purporting to represent TalkTalk. His number appeared on the CallerId as 00123456789 and he spent the whole afternoon from about 2pm to nearly 6pm on the phone. He said that he was going to charge £168.68 for a new router which would be delivered today between 9.45am and 10am because the router was causing problems on the line (see receipt below). He used TeamViewer to take control of my client's pc and who knows what information he managed to extract from it - I have recommended to my client..."

    "As I mentioned to you, it would be helpful to all of your clients if you send out a letter explaining how to guard against this kind of thing happening to them because this is not the first instance of this scam occurring that I have had to deal with. The fact is that these scammers know quite positively that the number they are ringing has a TalkTalk account associated with it, together with the name of the account holder. IMHO it is NOT a coincidence that they randomly hit on this information, and I don't have this problem with clients of mine using other company's lines, it is specific to TalkTalk. Somewhere within the TalkTalk organasition you have someone who has access to this information that is passing it on to these fraudsters."

    1. psychonaut

      Re: Extract of email sent to TalkTalk 26.8.15

      this is spot on. i posted above about this. shortly after actually calling talk talk support line, customer gets a call back from scammers. happened twice to same customer. there is a mole somewhere....

    2. Anthony Hegedus Silver badge

      Re: Extract of email sent to TalkTalk 26.8.15

      Yes, somewhere in an organisation which uses indian call centres, there's someone who steals information. Really? No shit. Talktalk, you need to close down your call centres, you bunch of tossers!

  21. Mike Wood

    Talk Talk Advise

    So Talk Talk are advising all their customers to change their passwords, that is all well and goo, but their management portal is still down. Epic Fail here guys??

    1. Roger Greenwood

      Re: Talk Talk Advise

      Changing passwords is all very well but then you have to update all your post-it notes. Such a pain.

    2. Chris Miller

      Re: Talk Talk Advise

      It's not your TalkTalk password that needs to be changed, it's those accounts you may have where you reuse the same password. Although (of course), if TalkTalk have adopted standard security practices (salted hash), retrieving a password should be extremely difficult.

  22. Ray Merrall

    If there is the possibility of a class action, will Talk talk be walk walk the plank plank?

  23. Anonymous Coward
    Devil

    Fnar, fnar!

    Dido Harding? Sounds a bit rude!

    1. Anonymous Coward
      Anonymous Coward

      Re: Fnar, fnar!

      she also looks a little bit like a man in drag

      1. Anonymous Coward
        Anonymous Coward

        Re: Fnar, fnar!

        Dress and general demeanor reminded me a bit of Dolores Umbridge from the Harry Potter movies.

    2. Anonymous Coward
      Anonymous Coward

      Re: Fnar, fnar!

      Martin Freeman?

  24. Anonymous Coward
    Anonymous Coward

    ffs

    TalkTalk and all other internet facing databases should be required by law to encrypt sensitive personal data on their databases. Surely that's not rocket science?

    1. Anonymous Coward
      Anonymous Coward

      Re: ffs

      Encryption of data only counts if the hacker only has access to the binary data of the databases. If they can execute queries against the database with certain privilages then they could at least read too much. It really comes back to the question of why information needs to be near the edge of the network.

  25. Billy7766
    Black Helicopters

    He who buys Chinese must die by Chinese

    I am not, of course, suggesting that Hauweii (part owned by the Chinese military, and part by the Chinese government) would ever do anything underhand to give back door codes for key infrastructure servers out, or that they have a track record of very poor security patching or that there's a reason they're so cheap. Nope. Not at all.

    In an entirely unrelated statement I hear that Talk Talk just swapped their entire backbone and most of their billing system servers for Hauweii kit

    1. Schmeelster

      Re: He who buys Chinese must die by Chinese

      What about firewalls, IPS , ddos etc? That is not huaweii.......

    2. IanDs

      Re: He who buys Chinese must die by Chinese

      At least Huawei kit is less likely to have backdoors built in for the NSA and GCHQ than kit from their USA/UK/EU competitors...

  26. hatti

    Online security philosophy

    If security and testing that security is not a central tenet to an online businesses philosophy then, at some point, that company will reap what it sows.

  27. Anonymous Coward
    Anonymous Coward

    Negligence

    I'm still in contract with TT and happen to want to leave due to a house move.

    Surely this is reasonable justification for allowing me to break contract without paying for the remaining months?

    1. Frank Bough

      Re: Negligence

      Just cancel the DD, they won't do anything.

      1. auburnman

        Re: Negligence

        "Just cancel the DD, they won't do anything."

        They will hassle you with threatening letters for a number of months from various debt collection agencies. Asking for a copy of your signed agreement usually shuts up one agency, but then they bounce you to another one down the line.

  28. Anonymous Coward
    Anonymous Coward

    What were their plans to prevent this happening in the first place? What was their infrastructure and what proactive steps were they taking to deny access to any systems? Now they have been compromised, what is their full recovery plan and strategy? They surely have zero credibility and I for one shall be campaigning for them to pull their sponsorship of X Factor as they must now dedicate those funds to something more useful.............

  29. Youngdog

    One not-bothered Talk Talk customer here

    Given how useless they were at responding to my complaints that details they had were wrong and STILL showing as inaccurate or out of date even the last time I checked I'd be surprised if the miscreants managed more than a few of the digits to be in the right place to do any harm.

  30. Anonymous Coward
    Anonymous Coward

    Distributed Denial of Service

    I fail to see how a simple DDOS attack on a web front end can result in customer data being stolen. Unless of course their network design is astoundingly inept.

    1. Anonymous Coward
      Anonymous Coward

      Re: Distributed Denial of Service

      It's pretty common for attackers to use DDoS as a distraction (at 95% bandwidth of what you can handle - they'll do multiple attacks to gain that info) and if they've done their homework; they'll then launch a sophisticated SQL injection or other sorts.

      Gets the Ops team scrambling in the wrong direction where they should of been looking at the database servers (and shutting them down) if they'd setup alerting correctly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Distributed Denial of Service

        Do we have any evidence of this?

        It seemed strange to me too.

  31. Anonymous Coward
    Anonymous Coward

    But no-one stores passwords, per security 101. That would be so incompetent.

  32. Duffaboy
    Coat

    CEO Interview on 5 Live

    She said that customers could contact Talk Talk for advice on their security oh the Irony

    1. JohnMurray

      Re: CEO Interview on 5 Live

      Customers contact talktalk for helpful advice?

      Has she ever tried to talk, to talktalk, about anything?

      Help on connection problems....no...they know little about anything other than running through the same check list, then sending someone round and trying to bill you for it ( in a worst-case scenario they will send a BT guy around, then both try to Bill you)(and the problem is never solved anyway)

      Help with billing...you're 'avin' a laugh?

      Their offshore staff speak poor English, they have worse connection problems than their cuntstomers, and they have serious problems accessing billing data anyway (maybe talkcrap should hire the scammers, they obviously know their way around the systems)

      To make things worse (yes, I have been phoned by the scammers) the scammers talk much better English than the paid staff......

      1. Captain Badmouth
        Happy

        Re: CEO Interview on 5 Live

        "To make things worse the scammers talk much better English than the paid staff......"

        I did point this out as an obvious pointer to being scammed in the previous talk-talk online fail :

        "My brother was with them and it was next to impossible to get through to anyone that spoke any sort of sense. So any intelligent authorative sounding person on the phone is obviously a scam imho."

    2. Doctor Syntax Silver badge

      Re: CEO Interview on 5 Live

      "She said that customers could contact Talk Talk for advice on their security oh the Irony"

      Maybe she meant that the customers could advise TalkTalk.

  33. N2

    Oh dear

    Bit of a dildo there Mr Harding?

    I take it you will assume full responsibility for clearing up the mess an ensuring the neccessary actions regarding fraud protection put in place for your soon to be ex customers?

  34. Anonymous Coward
    Anonymous Coward

    one way to stop tech support scammers

    i bought a CPR Call Blocker which stops them by blocking international numbers. You can also set it to block withheld and fake numbers as some use spoofed numbers. if a scammer calls it simply answers the phone in less than a second then hangs up so costs the scammers money (when it answers a red light comes on so you can see if it has answered a scammers call) since buying it we haven't had one scammer get through.

  35. Anthony Hegedus Silver badge

    wankwank

    We should never be outsourcing customer support to foreign nations where the call centre droids probably work as scammers in the evenings. Because greed.

    Don't tell me that some of this wasn't an inside job.

  36. Valerion

    Was this a hack or a DDOS

    I'm confused by the reports of what's happened. Was this a DDOS or a hack?

    Frankly, it sounds like a DDOS. Quite possibly one of those ransom attempts that seem popular these days. That would not result in data being taken, just in the site being offline.

    If you are hacking to actually steal customer data, you do not flood the site with traffic*, but rather would try and sneak in undetected. If the data is exposed by the front end (which is unlikely but possible if there was some kind of SQL Injection vuln or something) then flooding the front-end with traffic is just going to make it unavailable for the hack, also.

    So I'm a bit puzzled.

    *I admit there is a chance it was a diversion.

  37. Chris King

    AAISP statement to customers with TT Wholesale lines

    Andrews & Arnold have a bunch of customers on TalkTalk Wholesale lines, and they issued this statement earlier:

    http://aastatus.net/2174

  38. Anthony Hegedus Silver badge

    This probably sums it up http://newsthump.com/2015/10/23/talktalk-customers-to-learn-about-hack-next-time-they-manage-to-get-on-internet/

    1. John McCallum
      Unhappy

      I have not long checked my emails and there is NO warning AT ALL. So I smell bullshit

  39. Mark Dirac

    role of the media

    Talktalk CEO just interviewed on BBC R4 "Today" programme. She gave the impression that they are responding immediately to this hack, and that they have not had enough time to ascertain any details (not even enough time to know if their customers' data was encrypted!). And yet the BBC interviewer never challenged that the same thing happened to tens of thousands of their customers OVER TWO MONTHS AGO in August, and Talktalk are STILL saying on their website (about the August hack) "It is too early to say exactly..." etc.

  40. psychonaut

    resell talk tlak broadband?

    how desperate / crazy would you have to be to do that?

    i guess the commission must be pretty good. you'd tie your reputation to them??

  41. Anonymous Coward
    Anonymous Coward

    Perhaps Dildo Hardon can explain...

    ...why her company chooses not to encrypt the personal data of its clients?

    1. Duffaboy
      FAIL

      Re: Perhaps Dildo Hardon can explain...

      Or more to the point why on earth are you sill retaining ex customer data ?

  42. Custard Fridge

    Talk Talk Techies - are you out there?

    Any TalkTalk IT people care to comment on all this? Or are you all outsourced?

    In other news - Sainsbury has large proper jars of Marmite on sale again, which is nice.

    1. Anonymous Coward
      Anonymous Coward

      Re: Talk Talk Techies - are you out there?

      they should be all awake over in Delhi

      1. Captain Badmouth

        Re: Talk Talk Techies - are you out there?

        "they should be all awake over in Delhi"

        I believe they have an outpost in Sith Effrika as well.

  43. This post has been deleted by its author

  44. adam payne

    Getting hacked three times in a year beyond stupid, their security and procedures must be laughable.

    1. JohnMurray

      What security?

      How secure can anything be when any of their people cannot even pronounce my name?

      The bill I can access online (no, don't laugh, you can access it....when the "MyAccount" website actually accepts the password) (it'll be fixed in 28 days..they guarantee...twice so far) does not match the billed amount on their screens. Even worse....I am quite sure that the person I talked to, at talktalk, was the same person who talktalked gibberish to me when I was with BT a few months ago (their service was crap too, so obviously they have been talking to talktalk and getting lessons in how to not give a service)......there has been fibre in the village for 10 months now....BTs'....for another 7 quid I can have FTTC....when BT actually bother to get it working.

  45. Anonymous Coward
    Anonymous Coward

    Talk Talk have been obsessing about having BT broken up, this is their third hack in a year - maybe they should have been more vigilant about their own business?

  46. Anonymous Coward
    Anonymous Coward

    shell we have a game of "how was it done?"

    No details have been released about attack and I do not know what happened but the most common attack that I seen that gets data out of an organisation is the following

    1) Spear phishing attack to an admin to deliver the dropper via a URL from a hacked wordpress site

    2) Second stage down loader exploits one of the following (Office, Adobe, IE) to gain kernel level access

    3) Creds for key systems harvested

    4) Data accessed with Creds

    5) Data exfiltrated via the web proxy

    Or an un-encrypted USB stick left on a train.

  47. Morloch

    Why doesn't 2+2 = 4

    I really don't understand how 4 million people couldn't put 2 and 2 together...

    Talk Talk is the most complained about ISP

    Services are poor beyond belief allegedly

    Does anyone really believe that a company who doesn't invest in customer facing 'visible' infrastructure and services is going to invest in good behind the scenes (security) infrastructure and services?

    1. Mark Dirac

      Re: Why doesn't 2+2 = 4

      You say "Services are poor beyond belief allegedly".

      I have found their products - their broadband, landline, mobile and IT services to be excellent - without fault. For years.

      But their CUSTOMER services are so bad that you wonder how the business can continue to function. It is almost impossible to have a rational human conversation with a member of staff. I have never before experienced the Talktalk anthropology whereby you undertake a slow, steady, polite conversation with someone, and yet they are taking in nothing of what you are trying to communicate, and they in return say nothing which has any connection with reality. It's bizarre. Thank God other large businesses have not taken this approach of excellent products, but dysfunctional customer communications. (eBay perhaps?).

  48. groovyf

    I see from the TalkTalk incident info page it suggests:

    "Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax."

    Aren't they paid services? TalkTalk should be footing the bill for for all customers who want to check.

    1. AJ MacLeod

      According to http://help2.talktalk.co.uk/oct22incident , "We are offering a year’s free credit monitoring for all of our customers"

      1. ZippedyDooDah

        The free credit monitoring offered is "Noddle".

        You can currently sign up for Noddle for free anyway. Part of the sign up process for Noddle involves handing over a lot of private information so that they can verify your identity.

        I signed up for free about six weeks ago and had highly suspect junk email within 48 hours. Getting Noddle to delete my account took them approximately two weeks..

        I'll monitor my own accounts thank you very much.

  49. Anonymous Coward
    Anonymous Coward

    But at least their default censorship hasn't been compromised

    Who cares about customers as long as you're thinking of the children?

    /sarcasm off.

  50. Anonymous Coward
    Anonymous Coward

    Talktalk support chaotic

    I was hacked in August 2015 and Talktalk's response has been truly chaotic. The press seem to have been taking the line that Talktalk have been "doing the right thing" in trying to support hacked customers. My experience is that Talktalk have failed to offer me any support at all, to a startling degree. Here is my story:

    +++++++++++++++++++++++++++++++++++

    Regarding the hack into Talktalk in August ... Talktalk emailed me to warn me, and also included some unreasonable advice, which concerned me. On 11 Aug I phoned Talktalk to clarify. Their landline department assured me that my personal data remains secure, and then passed me to the mobile department, which absolutely assured me of the same. I was talking with them for 45 minutes.

    Some weeks later, I received a letter in the post from Talktalk, backdated to 12 Aug, which CONTRADICTED the verbal advice from 11 Aug. The letter warns that my data possibly HAS possibly been hacked, and repeats the unreasonable advice to (a) take out a trial subscription to Experian or Equifax or (b) to change my password, despite everyone insisting that passwords have not been hacked at all (c) to alert my banks.

    This advice to take out a trial subscription is neither reasonable nor professional. On the one hand, Talktalk should not be exploiting an Experian sales promotion in this way, and on the other hand my personal data would need to be monitored for many years into the future - at least 10 years - not just for the three months of the trial. Furthermore, it will be a big administrative hassle to set up a trial Experian account and deal with their promotional emails. And I fully expect that they will request my credit card details before signing me up to a trial.

    I do not want to alert my two banks unnecessarily, since, frankly, all hell will break loose on the part of the banks.

    On 19 October I IM'ed Talktalk (to have a record of our "conversation"). The agent was frankly incompetent. He insisted that Talktalk have not written to me. He reassured me everything is "good". He refused to have someone from the fraud department telephone me. Statements from the agent included:

    "If I am going to based [sic] it about the letter that you have received I would suggest to disregard this kind of letter or any Email immediately."

    "The letter itself will determine that you need to disregard it. The cyber attack would be directly through your online account."

    "As if there would be anything suspicious happened the Action Fraud Team will further help you. I have clarified that we do not send letter to customer that there details had been attacked. Everything would be through Email."

    The agent even tried to get me to phone Action Fraud (the government quango) to sort out my Talktalk problem.

    In short, Talktalk's response has been completely chaotic, and I am unable to discuss the matter with anyone sensible.

  51. Solway
    Flame

    So...

    So... this "email" that was meant to inform me of the security breach... i can't seem to find it??

    at least i was moving to BT FTTP in the next few days.

    In light of this security breach, i'm calling bollocks to your T&Cs and bollocks to your 30 day notice.

    Direct debit cancelled!

    I can't believe companies can get away with storing personal data unencrypted! haven't they learnt their lesson from the past like Sony PSN Hack?!!

    Surely there must be a gov regulator to check companies are storing data correctly!!

    As for storing DOB after the credit check, why! and you don't need to store ex-customer data...!

    Who fancies joining me on suing them...

  52. wheelbearing

    Sounds like a repeat of the Sony story

    Really TT had no excuse to not have a major drains up security review after the last data breach back in Jan/Feb.

    Maybe they did - but has anyone heard of anything along those lines? Certainly at the time in public they underplayed the seriousness of the last breach (was it so bad they felt they couldn't be honest?), and maybe they are now paying the price for not having done more to fix things at the time.

    This is what happens when big businesses whose operations rely totally on IT systems don't have IT expertise on their main boards when making the big investment decisions. Most of the ex-beancounters and sales bods who run these big companies just don't get the complexities, the scope or scale and cost of effectively managing IT systems security risks. It;s a big job and getting bigger, harder and more expensive to do well by the hour.

    The execs mutual back scratching clubs that make up the majority of major corporate main boards are more interested in upping each others remuneration packages and reducing IT costs, treating IT systems as well formed predictable commodities - which they are not, yet. Anything to stop those pesky non-sales related IT budgets growing....

    Customers/consumers should really take the security of their suppliers IT systems much more seriously - some kind of star rating system like those used for hotels would seem appropriate - crude and simplistic, like most of the the called security systems they rely on!

  53. Anonymous Coward
    Anonymous Coward

    Well.. the ground reality..

    As someone commented in the other story in El Reg here, if the application is hacked (SQLi predominantly) then encryption or not, the customer data is open for the hackers.

    The web services facing databases at TT are all encrypted well enough (I do know that and thats why I am anonymous today!). The internal systems everywhere will have dob, email address as plain text anyway (Marketing Databases of every company comes to mind). So the question to Dido about the encryption of data is not to the point.

    The blame falls on the managers who outsource most of their development as well as maintanence projects to companies which employ less skilled / dispassionate people primarily on the basis of costs and not having enough skilled / passionate people to validate if the delivery is secure enough (or atleast fit for business purpose!) to be deployed to the big bad world.

    oh, well.. It is Friday.. and beer time! bring the peanuts and popcorn!

    1. Anonymous Coward
      Anonymous Coward

      Re: Well.. the ground reality..

      I can just hear the next conference call between the board of directors (dialling in from non-extradition countries) now ...

      "Didn't we outsource all this sh*t to <name of big accountancy /IT firm> avoid this kind of problem?"

  54. Anonymous Coward
    Anonymous Coward

    And whose kit did they buy to help protect themselves?

    It always astounds me that when companies are hit by hackers or suffer a breach of security, the vendors whose products they bought to protect themselves never fall under the spotlight.

    IT Security is huge business, with vendors falling over themselves to offer the most upto date firewalls and intrusion protection, etc. It's a bit like buying a car for its NCAP safety rating, driving it down the road, being hit by another car, only to find out the airbags don't work. Obviously, hackers are always one step ahead but what's the point of buying this stuff if it don't work?

    So whose products were TT using then? Most know it to be Trend, but in TT Business, they also use, or used to use Huawei I believe. A guy I know was part of the TT account team at Huawei and told me about 3 years ago that TT had bought a load of their high end stuff, Huawei even installed an office in Manchester (I think it was) to support them, run by Chinese nationals of course. I moved my account to BT shortly afterwards, good decision I think.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like