Aren't talk talk the lot that desperately wanted everyone to sign their porn register, I mean opt out of the net nanny scheme?
TalkTalk CEO admits security fail, says hacker emailed ransom demand
Dido Harding, the chief executive of TalkTalk, has confessed her company should have done more to protect its customers' personal information, and has confirmed a seemingly related blackmail attempt. Harding told BBC News that she had personally received an email which included a ransom demand from "an individual or a group, …
COMMENTS
-
-
Friday 23rd October 2015 15:33 GMT Danny 14
which also leads onto an interesting question, what about people who have previously been talktalk customers? Are their details (and CC/bank accounts) still held on the system?
Whilst they might contact current customers, will they be contacting previous ones too?
That's a nice 4 million mailshot earner for the franking machine.
-
Friday 23rd October 2015 21:09 GMT Chris King
If they have retained customer details from the operations they have taken over, it's not just ex-TalkTalk customers in the firing line. What about former customers of...
AOL (UK)
Tiscali
Pipex
Nildram
Tesco Broadband
Virgin Media (ADSL)
OneTel
...and possibly others I've forgotten about ?
I will be SERIOUSLY miffed if I'm caught in the crossfire of this Charlie Foxtrot - I was a Nildram customer but escaped to AAISP nearly ten years ago, and had a OneTel dialup account before that. How long have they held on to ex-customer data, I wonder ?
-
Friday 23rd October 2015 22:32 GMT Doctor Syntax
@Chris King
Like you I've been through the Nildram>Pipex>Tiscali route but I jumped ship nearly 6 years ago. A good deal of what they had will be stale by now, certainly I've changed bank since then. I doubt either of us would fall for a call claiming to be from their customer disservices - they never did anything after the Tiscali takeover so why expect them to be getting round to it now?
In fact, after the Tiscali takeover their email support would have passed the Turing test - there was no way to tell whether it was human or a bot - but not in a good way.
-
-
Sunday 25th October 2015 17:48 GMT John Brown (no body)
"who have previously been talktalk customers?"
...not to mention ex customers of ISPs which have been taken over by Talk Talk. I wonder how many people that might affect and if they have even a vague inkling that their bank account details might have been compromised?
EDIT: I now see this topic has already been mentioned (and down voted? WTF?????)
-
-
-
-
-
Friday 23rd October 2015 17:14 GMT Arctic fox
Re: Dido Harding...
Well done gentlemen - there is perhaps something to be said for some form of classical education!
"When I am laid, am laid in earth, May my wrongs create
No trouble, no trouble in thy breast;
Remember me, remember me, but ah! forget my fate.
Remember me, but ah! forget my fate."
-
-
-
-
This post has been deleted by its author
-
Friday 23rd October 2015 15:44 GMT Kubla Cant
Re: Radio 4
The interview on Radio 4 this morning the person claimed it was too early to say if important customer data was encrypted ( and there was millions of records, as if that was a reason).
Record 1: not encrypted, record 2: not encrypted either, record 3: still not encrypted, record 4...
You can see how this may take some time.
-
Friday 23rd October 2015 16:13 GMT MrWibble
Re: Radio 4
Ars says "no"
"Moreover, TalkTalk has confirmed to Ars that some of its customer data was stored in plaintext, i.e. not encrypted. The spokesperson admitted this was "not ideal,"
-
Friday 23rd October 2015 17:05 GMT Anonymous Coward
Re: Radio 4
SQL injection can bypass encrypted data. Though there's some data (e.g. passwords) that should be encrypted in a form that even the company itself can't access. And it wasn't because the passwords are out there in pastebin for all to see.
I wish that I had never signed up with TalkTalk. I pay for everything via credit card normally. That affords me some protection. But with my TalkTalk business account they refused to accept credit card. They said I could change the payment information over to credit card later on but that they could not (read: would not) set up an account without bank details. And instead of backing at that point and going through the entire selection and sign-up process again with a different provider, I let them have the bank details so they could have a direct debit. So now my name, bank details and a password (only used for TalkTalk) are out there because of these people.
-
-
Saturday 24th October 2015 10:48 GMT Cameron Colley
Re: Radio 4
@Anonymous Coward: "So, how is that important? They have the same details you give when you write a cheque for something to be delivered to your home address. And, like any sane person, you don't use the same password for your banking."
You sound just like Jeremy Clarkson. Perhaps look into how well it went for him when he made his baking details public?
-
-
-
Friday 23rd October 2015 14:58 GMT mark 120
Lol. Selling data on the dark web isn't as profitable as it used to be? That's only if you look at it on a price per unit basis, because the market is flooded with details stolen from companies like TT. Overall it's still very profitable.
Is it just me who thinks she needs a PR person telling her to shut up right now?
-
-
Friday 23rd October 2015 15:09 GMT Geoff May
Re: Whats the betting
Excepting that will not help them because, the only real way of getting security would be to change banks, move house, change your name and try and get your date of birth amended. I wonder if TalkTalk customers can move to a different calendar to avoid future trouble ...
-
-
Friday 23rd October 2015 15:07 GMT Anonymous Coward
relax
Gubbmint keep telling us they have invested billions in cyberstuff to protect/spy on us
Forget police dealing with burglary,muggings etc cos they are all back in the station trying to figure out how to get back to that screen they had a minute ago sarge.
Meanwhile private companies have took this as a sign they can go to sleep and just let then boys in the big doughnut nerve centre advise them after the fact.
-
Friday 23rd October 2015 15:18 GMT Peter Kavanagh.
Ongoing, definitely not new
Someone in earlier article comments mentioned they knew of instances of attempted phishing calls, where the scammers had worryingly detailed knowledge of the target's TalkTalk account information.
On a phone-in to LBC on Monday someone called in with a very similar story of a call - "we understand you've had problems with our broadband service" (customer had indeed experienced this) ", so we would like to refund you some money, just need to check the payment details...".
Either inside information or clear confirmation that account details have been compromised in earlier attacks.
-
Friday 23rd October 2015 16:06 GMT circusmole
The brass neck...
...of people like her never ceases to amaze me.It was HER JOB to make sure that customer date was secure - it's called good governance. If she had an shred of decency she would first say, words to the effect of "I personally fcuked up big time, I didn't do my job properly" and then say "I am resigning with immediate effect and I will refuse to take my obscene golden parachute and also my overly inflated bonus payment. Goodbye".
Well, I can dream can't I?
-
Friday 23rd October 2015 16:47 GMT pointyhairmanager
Ignorance across the Board!
It is a telecoms company, so you would think there would be executive IT or technical presence on the board would you not. Or at least someone who might know something about the technology behind this (since the CEO obviously does not). Not so! Ms Harding's lamentable level of ignorance of all things technical seems to be echoed across the board - at least the executive board. The wider non-exec "jobs for the boys" board does include someone whose day job is being CTO for Nielson, but there seems to be no executive responsible for things technical. At least not in their job title.
It would not be quite so bad if this were the first time Talk Talk had been targeted and found wanting on the security front. But alas it is not as you can see earlier this year in http://www.theguardian.com/money/2015/mar/14/talktalk-fraud-victim-compensation-data-theft-responsibility
If it turns out to be as bad as it seems, it is frankly time the ICO got serious with rogue companies like Talk Talk who either cannot or will not take the security of their customers' data seriously. And the CEO of this shambolic enterprise should surely be fired immediately: To lose one's data once is unfortunate; to lose it twice is careless.
-
Saturday 24th October 2015 09:42 GMT circusmole
Re: Ignorance across the Board!
I would not be surprised if a Talk Talk board meeting went something like...
CEO: Where are we with customer data security?
CTO: Funny you should mention that, I bumped into The Head of IT yesterday. He's a difficult bugger to track down sometimes (general titters and laughter around the room). I asked him the very same question and he said that all was fine.
CEO: Good. That's what I like to hear. Next item on the agenda...
-
Saturday 24th October 2015 15:45 GMT Duffaboy
Re: Ignorance across the Board!
Moss: Did you notice how she didn't even get excited when she saw this original ZX81?
Roy: Yeah, that was weird. It's almost as if she doesn't know anything about computers.
Moss: What?! (Drops mug)
Roy: What're you doing?!
Moss: Oh, don't worry. That's why I always make two cups of tea. (Picks up another mug) Anyway, what were we talking about?
Roy: Her not knowing anything about computers.
Moss: WHAT?! (drops mug)
-
-
Friday 23rd October 2015 17:21 GMT SVV
BBC news just reported it was a SQL injection attack
Basic coding standards have been able to guard against this for 15+ years, so there's really no excuse.
(If you don't know what this is, it's basically down to lazy coding whereby attackers simply enter parts of a database query into a text field, causing more data to be returned than should be.)
Sounds like yet another company preferring youth to experience and paying the price yet again.
-
Friday 23rd October 2015 22:53 GMT steogede
Re: BBC news just reported it was a SQL injection attack
Do you honestly think that anyone here doesn't know what SQL injection is?
> Sounds like yet another company preferring youth to experience and paying the price yet again.
Just as likely that it was a very experienced lazy idiot, infact probably more likely. If it were written by some inexperienced youngen, they'd probably be using some trendy framework that made SQL injection very difficult.
-
Saturday 24th October 2015 00:37 GMT Allan George Dyer
Re: BBC news just reported it was a SQL injection attack
Yeah, everyone knows that a SQL injection attack is a method for choosing names for your children.
-
Saturday 24th October 2015 16:18 GMT Duffaboy
Re: BBC news just reported it was a SQL injection attack
Another fine example of management not listening to the Techys..
Jen: With all due respect John, I am the head of IT and I have it on good authority that if you type "Google" into Google, you can break the Internet. So please, no one try it, even for a joke. [the executives laugh] It's not a laughing matter. You can break the Internet.
-
-
-
Friday 23rd October 2015 18:29 GMT Steve 53
The state of the SSL/TLS Stack
While the TLS stack isn't compliant with PCI-DSS 3.1, it doesn't need to be until June 2016. 3.1 is relatively recent, and organisations have some time to bring themselves into compliance.
The only thing the audit picks up on the PCI side is a SHA1 certificate, which will most likely be fixed on renewal.
The report flags Camellia as not a NIST standard, which is true - it tends to be preferred in europe / asia.
PFS is available.
As High-Tech says, A rating, and a good indication that TLS has been configured by hand for security, or that they've done pretty well out of the box. Total red herring as far as "indications of the security culture" is concerned.
Now, why an SQL attack (if that is the case - my level of trust in Rory Cellan-Jones is rather low...) was possible is another matter. You'd hope coding techniques and libraries have sorted this problem. At the very least a PCI mandated Web Application Firewall should have caught that sort of attack (WAF is, of course, a safety net - not an excuse for poor coding), assuming it was put in and turned on...
-
Friday 23rd October 2015 20:26 GMT John Munyard
According to reports on Radio 4 this afternoon this wasn't even a particularly complex attack, comprising of a DDOS attack with an SQL injection... something that 90% of amateur script-kiddies know how to do.
Now cyber security is a big issue, but as a Talk-Talk customer myself you really have to question the basic competence of what is one of the UK's major ISPs that they have not only managed to have thier pants pulled down around thier ankles so easily, but also how that came to happen successfully after two previous similar attacks during the past year.
What a bunch of f**king clowns. The woman CEO of Talk Talk should be incarcerated for presiding over such interstellar levels of corporate incompetence.
-
Friday 23rd October 2015 20:40 GMT Anonymous Coward
Birds of a feather?
I see the Dido Harding (CEO) has an MBA and read PPE, Olivia Streatfeild (Commercial Director) has an MBA and read Political Science and Government.
I wonder if -
1) They didn't care for anyone 'mansplaining' that TalkTalk's IT blew chunks?
2) They knew little about IT and cared less?
-
Friday 23rd October 2015 22:01 GMT cyrus
I hope...
the criminal investigation of this breach is focusing on the lack of security and therefore may expose TalkTalk as the real culprit.
On one hand, I hate the hacking we all hear about every day. On the other, when hacks expose embarrassing security fuck ups made by people who should know better, I can only hope other corporate entities take notice.
Ultimately, hanging Dido out to dry in a criminal court for negligence is probably the only thing that might make them take notice. If Safe Harbor is illegal, then surely this level of technical stupidity should be criminal as well.
-
Saturday 24th October 2015 09:09 GMT Joe Montana
Lack of PCI compliance?
The ssl checker indicates they are not pci compliant purely because of their cert being sha-1 signed, but many cert authorities still provide such certs for the time being, and there are plenty of old certs out there too.
As for other aspects of the standard, just requiring strong encryption isn't enough, you have to actually be using it properly. Encryption is pointless if the key is held on the same host, and the data cant be used if it cant be decrypted.
Many implementations comply with the standard by encrypting the data, but then provide a way to access it therefore bypassing the encryption... Many of the people who assess PCI compliance are just box tickers and have no understanding of the actual technology, so if you store your data on an encrypted volume thats automounted at boot that will often be sufficient to pass but in reality has not improved your security at all because anyone who compromises the host will be able to access the data anyway.
-
Saturday 24th October 2015 09:57 GMT Daniel Bower
Surely she has to go...
Interviewer: was the data encrypted?
Dildo: honestly? I don't know...
That alone should seal her fate for two reasons:
One for not knowing and two for not categorically being able to say yes.
As to her comment that all companies face these threats day in day out. Yes they do but most, particularly at companies of this size, so so much better at dealing with them...
-
Saturday 24th October 2015 11:24 GMT achillesneil
I reckon they they have stolen all the personal data, but probably not the bank account details.
I had a new TalkTalk line put in a couple of weeks ago, hardly gave anybody by new phone number, and I just had a scam call. Somebody phoned me up asked for me and said he was calling from TalkTalk, asked me, he knew my exact name, then asked me to confirm my name and User Id. I said if you already know my name, why they hell are you asking me that question. Then he hung up.
I hope they salted our bank details. Or else this will be a major f**k up of all proportions. Even I know how to minimise SQL injections.
-
Saturday 24th October 2015 15:47 GMT Duffaboy
To Quote the It Crowd
Jen (Dido): With all due respect John, I am the head of IT and I have it on good authority that if you type "Google" into Google, you can break the Internet. So please, no one try it, even for a joke. [the executives laugh] It's not a laughing matter. You can break the Internet.