TalkTalk hush-hush on compo for up to 4 million customers after mega cyber attack TalkTalk boss Dido Harding went from one Blighty news broadcaster to another on Friday, admitting that the budget telco had screwed up but declining to commit to compensating customers affected by the major criminal attack on its system. The ex-jockey claimed that it was too early for TalkTalk to know the extent of the …
What do these people do?
I don't know, but apparently it was worth £6.8m last year.
Nice work if you can get it.
So when will be the first batch of fake phishing emails with TalkTalk logos on them?
If I was the scammer I would be readying a whole batch of emails "From TalkTalk Compensation Team" asking customers to login to my fake talk talk site to hoover up even more data. I expect wording the emails as a claim for compensation should hook a good number of people in.
This is going to be an interesting few months for TalkTalk customers.
"I've been looking through the departmental budgets and obviously I'm missing something: at first glance it appears we are spending more on marketing and executive bonuses than on security!
Obviously that's insane so, like I said, clearly I'm missing something?
... I AM missing something ... right ??!!??"
As part of the "mitigation" for the breach, TT are offering people a year's free "credit alerts" if they sign up with Noddle. What they don't appear to be telling their customers is that Noddle partly finances its "free" basic service by targeting you with advertising (you will be provided with money saving offers and vouchers online) and encouraging you to participate in their "confidence rating" service which will direct you to products provided by carefully selected third party providers, including credit cards and loan products.
For a further fee, which isn't part of the TT deal, Noddle offers its Web Watch service which provides notification if your personal data is being traded or being sold fraudulently on the Internet, chat rooms, bulletin boards and file sharing sites. However use of this service involves the transfer of your information outside the European Economic Area [specifically, to the US].
I'm not sure this is the kind of "identity protection" TT's customers might have chosen for themselves. There does seem a possibility they may be exchanging TalkTalk for StalkStalk.
Which reminds me... Seeing as I and many other people have pointed out the potential problems with Plusnet security, and have been informed that is safe I need to write to them and point out when they get hacked 12 months free with a credit check agency is NOT going to cut it.
Seeing as I and many other people have pointed out the potential problems with Plusnet security, and have been informed that is safe
Write a letter to the ICO. A proper, paper letter, addressed to Christopher Graham. Copied to Plusnet's company secretary. That should spark some interest.
And besides that, I've taken up on the 'free for one year' noddle offer for alerts from TT. Only to see that whilst Noddle got my current account and credit card, it doesn't show my mortgage and mobile phone.
So what confidence is there that it actually provides the correct alerting.
To be fair, it wasn't really a risk. What happened is that someone set up a Direct Debit in his name. The Direct Debit Guarantee makes it explicit that he'd get his money back immediately - it's there precisely because the conditions for setting up a Direct Debit are lightweight.
What is a real risk is someone using the purloined identity details to convince the victim to hand over additional financial information "voluntarily" - at which point everyone else will wash their hands of any responsibility - or to blag their way into getting the passwords on banking and similar accounts reset.
> You believe it?!!!! The information allegedly leaked did not include bank passwords, to which Talktalk have no access.
Picture the scenario; person with no inkling of good security practice uses the same 10-char password for her TalkTalk account and her bank. TT account gets hacked and reveals her bank, account number, sort code, address, DOB. Probably some lame-arsed security questions too. Attacker now has all of the creds necessary to get access to a bank account, probably enough extra info to change everything else.
If all the e-cyber i-heists x-haXx0rz of the last ten years have told us anything it's that password re-use is pretty standard. And if the TT hack is as total as their continued silence is making it seem I'd expect a good few thousand people to have their accounts hit in the next few days; if not then it's probably just coincidence and her account was compromised in some other way.
I got the impression rhat she had fallen for some social engineering trick.
It doesn't take the hack of a database to find out that someone is a TT customer, or their phone number and address. It's also very easy to find a DOB nowadays. Sort codes and account numbers might be a tad more difficult, but we know from Watchdog and You & Yours that people are more than willing to give that info over when asked in a courteous and professional manner.
On Saturday morning on the local radio station (via Sky news I think), there was a woman who claimed her bank account had been wiped out and left her overdrawn.Well, one report I read was of a woman who claimed to have lost £600(?) last Sunday as a result of this - despite that being a few days before the incident actually occurred (a small detail that seemed to be missed by the reporter).
Remember how Clarkson challenged world + dog that just knowing his account number wasn't a security risk, and was then proved wrong?I do - although no-one has ever explained how information that has been on every cheque that I have ever written could give anyone access to my account.
But she later corrected that number to "literally hundreds of databases".
They are obviously incompetent.
If I were with Talk Talk I would port out and saying I'm not paying the termination fee if there is one because three hacks in a year, a boss which talks about "hundreds of databases", and the very real possibility of identity theft is not a service which is fit for purpose under the Sale of Goods Act. And if they were to say they're still going to charge me a termination fee for leaving then I would tell them I'm cancelling the direct debit and they can send me an invoice if they wanted to but I'm refusing to pay it and they can take me to court if they still want the money. And then we could talk about the legal action that could be taken against them if any identity theft does occur. Fuck 'em.
Business School case studies examine disasters (we had Singer Sewing Machines - it was that long ago). Now... your name is Baroness Dido - what do you DO? Hindsight is forbidden in your answer, also no paying McKinsey, or doubling salaries for IT grunts. No, very seriously, if YOU want to be a Boss, and even if you didn't bother to clock a PPE between youthful rides, what do you do NOW?
1) Get a briefing from IT and Legal so I don't stitch up the company in terms of liability insurance or appear like an idiot by mixing up a DDoS with a data theft and talking about "hundreds of databases" (which I certainly hope isn't true).
2) Ban Marketing and PR from saying anything (reasons: see 1).
3) Identify sacrificial goats. This would be whoever proposed the last reduction in "administration" expenses. Bonus points here if an external Management Consultancy or activist shareholder can be hung out to dry. Ideal solution - pin it on Bankers somehow. Remember that the public (i.e customers) like seeing "suits" lynched, not engineers.
4) Offer indemnities as far as possible, subject to Legal advice. Do not involve anything that the opposition can spin as further ID snaffling.
5) Offer carte blanche, penalty free early contract termination. Undecided customers will respect it and those who really want out will leave anyway because trying to enforce the penalties would be an even bigger PR disaster and might even fail in court.
6) Announce credible steps towards future recurrence with a visible hair shirt element. Bonus and dividend cancellations to the fore.
7) Assume a sharp, short term fall in the stock price. Preventing that is impossible so worrying about it is irrelevant. Adopt a price target for Q2 2016.
"No, very seriously, if YOU want to be a Boss, and even if you didn't bother to clock a PPE between youthful rides, what do you do NOW?"
In her situation, resign. It ought to be expected of her. The interviews on her round of the media should have started along these lines:
Interviewer: Let me start by congratulating you on your promotion.
Her: I haven't been promoted.
Interviewer: But aren't you the new TalkTalk CEO?
Her: I'm the CEO but I've been CEO since whenever.
Interviewer: Oh, I'd assumed that a CEO in charge of a shambles like this would have resigned immediately. Let me start by asking you why you haven't resigned.
In her situation, resign
I' announce my resignation - but 8 weeks hence.
If she has any integrity whatsoever, her job is toast. But by staying on to deal with the fallout of her bad decisions, she would gain some credibility. And there is no doubt that she would be trying to do the right thing - since she has already resigned...
Vic.
Hysteria, encouraged by farcical 'reporters' at the remains of the Telegraph and the Times (very keen to encourage people to move to Sky of course)
As a happy Talktalk customer for 5 years plus, TT have confirned by email today:
• The number of customers affected and the amount of data potentially stolen is smaller than originally thought. Our website was attacked, but our core systems weren’t and remain secure.
• On its own, none of the data that may have been accessed could be used to leave you financially worse off.
• We don’t store unencrypted credit or debit card data on our site, so any card details which may have been accessed have the 6 middle digits blanked out. For example, it would appear as 012345XXXXXX6789. This means it can’t be used for financial transactions.
• No My Account passwords have been accessed.
• No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.
Unfortunately, speaking as someone who has more than a passing insight into this industry, I can tell you now if someone really did gain access to the network there WILL be files on there that have unencrypted information, and there is a chance that that information can be found and used (more likely in a social engineering capacity than direct bank access, but I wouldn't rule that out either). I know - I have seen identical situations with my own eyes (hence A/C).
The people at the top only care about money they are earning for themselves. The shareholders are only worried about their dividends. They don't give a crap about anyone else, and they WILL cut corners, and they WILL under-invest in areas such as security (which lets be honest is not cheap, but it is necessary).
If nothing else, I would urge caution.
This post has been deleted by its author
I've been pinching myself overight. Did I really hear Dido on Radio 4 say something like: "The criminals might have enough information about your bank account to pay in but could not get any payments out".
Have been trying to imagine all these criminal hacker gangs beavering away to be able to put credits into customers' accounts. Hmm, maybe not.
What I want to know - so far pretty much everything has focused on existing customers - but what details did TalkTalk hold on ex-customers? Do TalkTalk have bank account details in their databases for people who used to be customers? We only left them about 3 months ago - could El Reg possibly find out how long they retain details on ex customers? (We were a business customer, migrated via Pipex and Opal)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
