Let me fix that headline for you:
"Talktalk incident mismanagement: A timeline"
Contradictory statements issued by TalkTalk regarding the third data breach the company has experienced this year have provided inadequate information to the telco's customers about their data, while effectively insulating the company from questions regarding its security practices with insubstantive, and at times incoherent, PR …
>I find it harder and harder to remember who's on my shit-list, it gets so crowded.
>I think I'm still friends with Waitrose, but who can tell for sure?!
I can help you with that, it will take just one moment to access your information from my system... Hm, that is strange? For verification purposes only, can I get your full name, mother's maiden name, etc. ?
A potentially more responsible provider." If you can find one! How would you know?"
History, my dear boy. Not a guarantee but a jolly good indicator.
I could name four ISPs (two in the value market and two in the premium market) who I would recommend to anybody. They have delivered consistent high quality connections. More importantly they have intelligent teams who have coped with incidents. Quality support is an expensive luxury until you need it. TalkTalk's expertise is (sorry WAS) talking you out of thinking you need it.
Out of the usual suspects, only Virgin said something for the security metric that suggested that they take some care over your personal data.
Or you can try a website like this one...
The UK has a dead dog in this fight. They [GCHQ] are worse than the US."
For Internet surfers in the UK, the most significant surveillance program revealed by the leaks is Tempora. According to documents leaked to The Guardian, Tempora is a GCHQ program that intercepts data on many of the Internet’s fibre-optic backbone connections, both in the UK and globally. The extent of Tempora is unknown, but Snowden’s leaks contained a claim from the UK that GCHQ scoops up even more metadata than the NSA.
None of the GCHQs laudible systems aims served to prevent anything most of us would like to have seen prevented since before the USA was taken over by the chimp
As a TalkTalk customer I should have been notified by secure means ie not a web announcement nor email, of 9 facets dealing with this incident as laid down in EU reg 611/2013., I'm still waiting
This Law says:
The notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach, as set out in the third subparagraph of Article 2(2).
It is if you take into account the Supply of Goods and Services Act and are willing to have it out with them. Service must be carried out with reasonable care and skill. Service must be of satisfactory quality and fit for purpose.
Their T&Cs are like an EULA, you've still got your consumer rights.
If they get away with this farce I'm just going to give up, there's going to be no point if Visa and Mastercard don't punish them to bother trying to get PCI implemented as every board member will go "well TalkTalk got away with a slap on the wrist why should we bother" and as to data protection I can imagine anyone wanting to have security enforced will be laughed out of the building.
They can't be allowed to get away with this.
He's right. They could have complety air gapped their systems and kept everything on paper in a secure vault with armed guards.
But they didn't. So they're still in trouble because their measures clearly weren't "adequate".
Not that they're any different to thousands of others (including healthcare providers and banks).
Not wishing to detract from beating up TalkTalk, but since people here might have an answer, I have a question...
Q. Why don't credit-card companies tell providers NOT to store card details ever, and instead, issue them a token on receipt of a valid card number? E.g.
Customer (unwisely) decides to sign up with TalkTalk. Enters their contact details and card number on the TT website and agree to (say) a sign up fee of £X and recurring debits of ~£Y based on call-usage etc.
For £X, since it's a one-off, TT don't need to store a card number. For ~£Y they do currently because they need to debit the customer (usually) once a month. So instead the card company supplies a token (like a disposable card number) but this one is constrained such that ONLY TT can use it... so even if it leaks, it's useless. And it could be further constrained by number of debits per month, or limited value ranges.
I've wondered this for years... basically whenever a leak ends up in the news. It's an obvious solution, so I'm guessing there's a good reason it's not implemented?
"We respect our customers privacy and encrypt all financial data. Leave TalkTalk and sign up with us and we will pay your termination fees."
That no one is making such statements makes you wonder just how secure they are.
I know plusnet store passwords either as plain text or using easily reversible encryption, their support people can tell you what your password is.
Account login used on the modem, ISP supplied email etc... not the supplied router admin password or WiFi passphrase.
Their justification for it is that it makes things easier when customers call support.
Those passwords aren't normally used for much so poor security on them isn't much of an issue directly. What is more worrying is the underlying attitude that it's ok to compromise security if it makes life easier.
Not to mention the obvious issue that people frequently re-use passwords
Given that PLusnet and BT are the same company, the fact that they use deficient procedures is hardly surprising.
The fact of any outfit keeps the password in plaintext is a good reason to avoid them, even if you never use their supplied email setup (you many not use it, but someone else might well decide to use it to impersonate you.)
Interesting, when I've talked to them in the past they 'reset' the password to default for me, which is always the same, but as long as you change it (which should be mandatory but I think is not) they don't have access to it (well they don't seem to)
A company is allowed to lose your data to people who intend to use it to commit crime which may financially impact you and you have to pay to make any changes to the data (like change bank etc)? And this is legal?!
Has anyone checked to see if any of the senior management at TalkTalk bought shares in Noddle in the past few weeks? The value of that company will be rocketing at the minute and TalkTalk have effectively created a revenue stream.
I have mentioned it before, but perhaps statutory liability should be attached for holding personal information?
The obsession of knowing *everything* about you is never for *your* benefit. If the cheque clears, why do they care?
It may turn out that they can "provide a better service" by knowing every last thing about you.
One wonders if the only way some companies get so large is not by being good, but by being less worse than the competition?
Note the icon...nothing to see here!
I never got why companies hold so much information on us...
I have a small business... The amount of information I keep on customers is minimal, only what I need to actually perform the service for them.
And actually storing bank details in a way that can be accessed over the internet??? are they mad?
Surely you have a one-way internal API call for that data, actual credit card data stored encrypted in that system and ONLY the payment processor should have access to the private key to decrypt?
If anyone thinking to join TalkTalk, dont. There is no legal obligation to encrypt data, but as the past has shown, there is a moral obligation. Because things like this will continue to happen and unencrypted data is a gold mine. I hope ICO nails them with a massive fine. And if you are on TalkTalk, keep all of this in mind when renewing your contract.
Encryption might not have made any difference. If they just used SQL to query the data out of the database then it doesn't matter if it was encrypted at rest or if the channels the data travelled over were encrypted.
Allowing SQL injection usually means you developed your website in an old framework that didn't block it by default (like classic ASP or early versions of RoR) or that your devs over-rode the defaults to make their code easier. Also that you didn't run any number of automated pen-test tools against the site. Or that you ignored the results if you did.
That is only true if talking about TDE (transparent data encryption). Which is only good for people that miss-place their servers/storage, or cant be bothered to destroy the drives with the sensitive data on it when finished with them.
If the data was encrypted at the application level then sql injection wouldn't work, it would need to be an application level exploit to get the data. If the data wasn't accessible by the web service (as it shouldnt be) and only tokenised and masked data then no data would have been available apart form the partial masked data needed for any comparisons in sql queries.
the off shoring is just a symptom, the reason the IT security is crap is because they don't care about security, they also don't care about IT, it's all just a cost centre that they want to make smaller. The offshoring is just a sign that talktalk don't give two fucks about customer security or IT in general.
I imagine that after a few more days of PR, Talk-Talk's share price will be in the toilet and there won't be anyone able to pursue fleeing subscribers and assess penalties owing to there not being any money left in the petty cash secure reserve (the tea caddy in the coffee room with a "petty cash" sticker on it).
"No banking details have been taken that you wouldn't already be sharing when you write a cheque or give to someone so they can pay money into your account."
You mean, "We might have let slip your Account Name, Number, Sort code and Bank Address. Don't worry we didn't give the evil, anarchic, Islamo-fascist, Russian, chain-smoking, ex-banker terrorist* anything else, or did we?*
* - now known to be a 15 year-old who once tried $ ssh www.talktalk.com
"TalkTalk's site denies a breach of the DPA, noting 'This is a criminal attack'"
Yes, in the same way that if someone burgles my house that's a criminal attack, but it's still my responsibility to lock the front door.
They deserve to lose a lot of customers because of this.
Is ineptability a word?
Anyhow, how can the CEO be inept when paid such a large salary? (GBP £6,842,000 (total compensation, 2014) according to https://en.wikipedia.org/wiki/Dido_Harding, though only 1,047,000 GBP according to http://www.bloomberg.com/research/stocks/people/person.asp?personId=10917296&privcapId=47128684 (linked from same Wikipedia article)).
Any fule know we live in a meritocracy where all are paid according to their worth. I believe everything our glorious rulers tell us.
This is all entirely predictable. Talk Talk's IT is a direct descendant of the original dotcom boom and bust. I worked in a start-up then and the attitude was to deliver fast and first. Procedures and methodologies were for wusses and losers.
The founder of Carphone Warehouse, Dunstone, was an entrepreneur who operated this way too. He saw a gap in the market and exploited it. Again speed and being first were critical, He moved his company into being an ISP when he saw the money to be made. His IT boss was told to 'make it so', despite the IT department having no previous skills or background in the field. Growth then became the supreme directive. The IT Department were instructed to ramp up customer provision as fast as they could to keep up with a huge marketing push. I attended an IT conference where a Carphone Warehouse IT Manager told the story of their move into being an ISP.
It is no surprise at all that security played catch-up in all this. If the firm was unwilling to put money into customer service, as evidenced by customers' experience, was it ever particularly likely that they were investing in security either?
Hopefully you actually know Agile properly and are air-quoting "Agile" because you are referring to all the monkeys who use the term and other people's ignorance to excuse their incompetence.
If not, may I respectfully suggest that you learn what proper Agile is because it is very disciplined indeed when practiced properly...
Handily Paul Moore has it all recorded and put online at https://paul.reviews/value-security-avoid-talktalk/
TalkTalk confirmed by e-mail that :
* The ICO audits their website EVERY WEEK, validating every single link.
* TalkTalk claimed not to be mishandling customer data or financial information
* They have no intention of taking action over any security problems reported by Paul
Why is this exchange not coming back to haunt them ? ElReg? I think you should be making a much bigger deal of their documented blatant and intentional disregard of security.
Their misleading stance goes from bad to down right lying!
Their email to me said: "Sign up to your free credit reporting service using this code: TT231"
That seems the appropriate thing for them to do, to pay for a financial report for customers.
So I duly signed up, but during signing up I was never asked for a code. I then found out that anyone can sign up for free no code is necessary. noddle.co.uk
I also do wonder about the reports usefulness, any misuse of my financial information would probably takes weeks if not months to show up. Some people might thing it offered some protection not just tell you the horse bolted a month ago.
I wonder if they will be able to survive this.
Noddle isn't free. Well, the very basic core service is but as soon as you want to do anything useful you end up in "in-app purchase" land. I know this because I've had an account with them for a few months.
In fact, the TalkTalk code gets you access to "alerting", which is (only) one of Noddle's paid-for services. I signed up for it because why the heck not, I already had the Noddle account. And I'm a TalkTalk customer, at least until my contract expires.
They don't make this information easy to find on their website because they're [incompetent|malicious] (delete one). Here's a link to it: http://help2.talktalk.co.uk/noddlealerts
Much like houses and fridges these days have to be rated for environmental reasons, maybe an idea to have companies audited for a publicly visible security rating, so customers can make up their own mind about who to go with, based on how safe their personal details are with that company.
icon = someone stealing from my jacket when I'm not there
6 days after the hack, I'm still waiting to be notified.
I had a call yesterday, from someone claiming to be from TalkTalk, asking me to verify my details with them before they continued with the call. I explained I wasn’t going to do that in light of their company being hacked and advice to the contrary - ‘were they aware their company had been hacked?’ The caller then hung up on me.
TalkTalk’s core business is supposed to be **communications**
@Quotes - This might be stating what you already know but I'm pretty sure you haven't been contacted by TalkTalk there, you're a victim of the hack. The hackers have your phone number and name from the hack and are phishing for to get whatever other info they need. Imagine there's many people working through the data contacting the gullible/naive/week to get 'missing' data.
This is why it doesn't matter that 'not everyth bit of customer data has been taken' as once you have some, you can start targeted phishing. You know they are a talktalk customer, so can pose as talktalk and work from there. I wonder how many TalkTalk customers have been contacted by phone by "TalkTalk" in the last week, who have then lost money....
I'm a TalkTalk customer and my natural instinct is to move Telecoms provider, but I'm worried that if I no longer have a contract with them and the worst happens -will they actually do the right thing and compensate me. As bad as TalkTalk are, I feel that would be an even more horrendous scenario. So will they lose lots of customers -perhaps not so many as you might think, unfortunately. Beer -it helps me forget.
"I'm worried that if I no longer have a contract with them and the worst happens -will they actually do the right thing and compensate me. "
That's what small claims court is for - and given the fine plus admissions, they'd have a hard job fobbing it off.
(My experience with Talktalk is that you can spend months arguing with them over compensation or you can just file a Small Claim and they'll settle it almost immediately.)
I was thinking of the jumping ship analogy for people who think they have to wait. Your best route is to talk to someone with business or legal acumen who can tell you what the prospects are. If they need to act quickly enough in a worse case scenario Talk Talk can go broke and leave you in the shit.
I would have thought someone in a magazine like this might have offered advice already. And I don't just mean readers in the comments.
TalkTalk have in one of their latest statements claimed that passwords haven't been revealed due to this hack, but they've just sent a message to their business customers saying that they have changed our account login password and that I should follow the "forgot password" link on their logon page, answer our security questions and then change the password to something known.
This begs a couple of questions;
a) Is the "passwords not compromised" position a lie? Otherwise why the reset process?
b) Where the security questions in the same public facing database and therefore likely to also be compromised?
It's almost inevitable that similar hacks will keep happening though.
We need to change the whole system of how payments operate or this is gradually going to turn into a new banking crisis.
There's only so much fraud that can be insured against before the system starts to become too expensive to operate. I don't think the banks have done nearly enough to move towards a totally secure payment system. We shouldn't be relying on 16 digit card numbers and basically trusting retailers like this.
This is a fiasco for Talk Talk but, it'll just keep on happening as the card numbers are just an attractive treasure trove that criminals want to get their hands on and they'll always find holes in the security or the weakest link.
I think we are all overlooking the real point here?
A 15 year old went to the TalkTalk website and performed a SQL Injection attack upon it, which was successful.
This is such a basic security flaw in a website design and protection it begger's belief!
Perhaps TalkTalk will appraise us of their Data Protection Security Strategy which allows them to publish upon the Internet a website that does not have even the basic web attacks protected!
The TalkTalk has shamed itself!
The TalkTalk CEO has shamed their management with her delayed advisory, lack of security knowledge and poor public comments.
What security personnel if any were involved in the publishing of this website to the Internet?
What were the personnel's security expertise?
Does the website have a written security strategy?
If so, was the strategy applied?
When was the strategy last reviewed?
How much do TalkTalk spend on security?
Remember, this is this TalkTalk's third penetration!
Have TalkTalk Security sufficient knowledge to perform the necessary forensics on their systems following the attack?
My experience in the security marketplace leads me to believe there was much TalkTalk about security, but little action!
TalkTalk are just one organisation that has been exposed, I fear that many more organisations will follow.
"I think we are all overlooking the real point here?"
You're missing an even bigger one
"A 15 year old went to the TalkTalk website and performed a SQL Injection attack upon it, which was successful."
A 15yo went to the TT website and sucessfully performed a SQL injection attack on it _after they'd been breached twice already and should have well and truely nailed that particular barn door shut_
This isn't just an oversight, it's culpable negligence.
Woke up this morning to find 66 junk e-mails in my TalkTalk inbox whereas normally I would expect 5 max. Seems an odd coincidence and am wondering if connected to the data leak ? They were mainly mail box rejection messages (thank goodness) to a wide and random variety taken from my contacts and elsewhere.
threatened to leave when talking to customer services, they said I'll have to pay anyway, so i mentioned DPA "appropriate" thing, and that I work in IT (the poor guy was confused between firewalls and databases); was told a manager who would be able to answer my questions would call today.
It's now 5pm. Guess what .. no call ...