The headline picture just makes me want to reach for the nearest half dozen eggs or rotten bit of fruit and hurl it at the screen.
Didi the dodo, go go a now now.
The face complete corporate indifference toward the customer.
TalkTalk has finally provided some information on the amount and type of information breached in last week's cyber attack, downplaying the size of the incident. "[Our] responsibility last week was to inform all customers as quickly as possible" began the company's statement, despite the thorough lack of expedition in the …
"highly unlikely event that a criminal attempts to defraud them" sorry but birthdate is incredibly sensitive and useful for identity theft. Its not highly unlikely at all, in fact it is very likely that this infomation will now be used!
Its not up to talktalk to judge how important people's private details are, they should be taking the proper precautions to protect the data as they have a duty by law to do so and if they don't receive a significant penalty for this it is saying to other companies that they can cut corners and not bother looking after our data properly too.
After being hacked twice recently they should be on guard now more than ever and yet it is so lax a couple of 15 year olds can get in!? If the words 'appropriately protected' in the law need a less vague definition let us start defining it now by saying this was not appropriate protection!
Economy of scale. If criminals have access to a thousand real names they are less likely to do anything with them as they'd have to look them up in public records manually or pay an underling to do it, which would take a while, cost time/money and possibly attract attention. Give them a thousand names with birthdays already associated with them, and there's more likely to be trouble for some poor souls.
The truth is that the bank account details CAN easily be used by criminals; they just sell things like insurance policies from reputable companies to punters in a pub, at ultra cheap prices. The crims use the stolen bank account details to set up the direct debit, the insurance company sends out the policy to the unsuspecting punter, the punter pays the crims, and the crims run away and hide. A few days later the insurance company realise it's a fraud and cancel the agreement.
And the names and emails and phone numbers can be easily used to call up the customer and convince them that they're calling from talktalk. And because they're indian call centres, the customer won't suspect a thing - they sound just like talktalk's real call centres.
Now what talk talk should do is let ANYONE leave them without contract penalties and they should start to wind up their indian call centres. No less than that.
"Now what talk talk should do is let ANYONE leave them without contract penalties " doesn't solve anything as they still have your details, as has been discussed here you are now an ex customer. If you cancel anything it should be your bank/credit card account.
Then why is she trying to minimise the breach:
Less than 1.2 million customer email addresses, names and phone numbers
That's 2-3% of the adult population of the UK, I'd say that was a significant breach.
As for the 15-20k poor beggars whose date of birth and bank account details have been spewed, that might be small number (of little people) for the Baroness, but it'd be quite a big crowd if they turned up at her office to have a word.
So, state of play on the past few months of data breaches in the UK:
TalkTalk = Incompetent wankers
Carphone Warehouse = Incompetent wankers
British Gas = Incompetent wankers
All other companies = ?
- More than 20,000 unique bank account numbers and sort codes
- More than 27,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)
- More than 14,000 customer dates of birth
- More than 1.1 million customer email addresses, names and phone numbers
This might be cynical but who checks that these figures are correct? And would we hear about it if they weren't?
For all that I know (and this is probably right), these figures are some sleep-deprived IT person pooring through logs and saying "well if this, then probably that..." Which is fine, but is there some sort of proper investigation that takes place that would inform us if said IT person were wrong? Or TalkTalk had slanted the truth?
you may be able to claim breach of contract by Talk Talk
I'd just tell them they breached the contract, cancel further payments and explain that if they tarnish your credit rating or refer the matter to debt collectors, then you will sue. Chances are good they'll sod off at that point. If they don't, then just sue them because the odds of TalkTalk wanting to appear in public court over this issue are slim to none.
Less than 21,000 unique bank account numbers and sort codes
21,000 too many.
Less than 28,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)
Less than 21,000 unique bank account numbers and sort codes
28,000 too many.
Less than 15,000 customer dates of birth
Less than 21,000 unique bank account numbers and sort codes
15,000 too many.
Less than 1.2 million customer email addresses, names and phone numbers
Way, way too many.
I don't understand how they say credit card details are safe if they have only masked 6 digits. It would be relatively trivial to work out valid remaining numbers by simple luhn checking. Find a particular card that has relatively few valid luhn options (using the existing details) and reverse the encryption based on that. I believe PCI-DSS should be much more restrictive than it currently is and not allow masked details to be included in the same detail as the encrypted card number as you are basically making breaking the encryption easier.
believe PCI-DSS should be much more restrictive than it currently is and not allow masked details to be included in the same detail as the encrypted card number as you are basically making breaking the encryption easier.
I think you are misunderstanding.
The encryption is applied to the stored data, which is only the first 6 and last 4 digits. There (should be) no circumstance where the full card number is stored in any format.
Whether Talk Talk followed this is, of course, open for discussion.
This doesn't make sense. What would be the point of storing only a partial card number? Surely you need the full card number if you are going to use it.
Perhaps you could point to the pci statement that backs this up. Or explain how Amazon manages get payments authorised without storing the full card details?
"Or explain how Amazon manages get payments authorised without storing the full card details?"
Yes you can store full credit card details with encryption and expiry dates. You are not allowed to store the CV2, even if encrypted, with the credit card number.
However, you can make further transactions, as a retailer, using existing card details. You store the basic card details - masked and associate with an ID. When a customer confirms that they want to pay using Visa 44433xxxxxxx1111 you send the request to your merchant services using the ID instead of the actual card number (which you don't hold). Your merchant services company uses this ID to actually send the card details on to the acquirer to make payment. This is ID is linked to you as a merchant and could be used by other companies as a separate merchant/ID combination will point to a different card number. It can also be set to expire after a certain length of time to make it temporary, a different merchant would not, generally, be able to process that ID though so stealing it has little benefit.
The IDs are also generally the same style as a credit card number and pass the Luhn check so back end systems can accept them with little or no development work.
It's called tokenisation.
I think *youre* misunderstanding here. Storing the full PAN is perfectly acceptable within the PCI DSS. Storing it unprotected is not however. Protection can be provided through hashing, encryption, tokenisation, etc. Masking the middle digits essentially makes the information useless for fraud, as it is no longer cardholder data.
The reason why you don't understand is that you don't understand Luhn codes. The Luhn code is a single digit appended to the number. Luhn codes are intended to catch common typos. They can detect/correct a single digit error or a pair of transposed digits but are not capable of supporting Hollywood style hacking magic.
That wouldn't really work in reality. If you had the first 6 and last 4 digits and then filled out the middle six with all possible combinations you'd create 1 million possibilities, with 100,000 passing the luhn/mod10 check. You've got no idea which ones are valid until you try to authorise them with an acquiring bank. You could generate all possible 10^16 credit card combinations and do the same, but you'd never get any authorised against an acquirer for a transaction with no further authentication data (CVV/Expiry/Name/Address, etc).
So, the figures show that they only have about 20,000 paying customers. The churn is 1.2 million customers and like Madison Ashley, they keep your name, email and phone number to sell to scum rather than deleting it when you leave.
This is why TalkTalk was so dismissive that it was a massive breach, they don't really have a massive customer base.
...does an ISP need your date of birth? You're obviously old enough to be paying the sodding bills. At some point there has to be a stop put to this nonsense of dragging as much personal data out of customers as possible. You can't even buy a Mars bar these days without some pillock wants your post code and inside leg measurement.
Also, why was this data Internet facing? If you must have someone's date of birth, they're not going to want to change the bloody thing in "My Account" are they? Oh, sorry, I'm a reborn Christian. My new date of birth is...
"To date, two teenage suspects, a 15-year-old and a 16-year-old, have been arrested in connection with the incident."
To date, one middle-aged suspect with a technical mental age of a 5-year-old has not been arrested in connection with the incident.
Fixed, with apologies to 5 yr-olds everywhere.
Ah Dido Dildo Lilo whatever your name is this makes it all OK then
Still pretty crappy for all your clients who've lost sensitive info due to your 7 mil a year paycheque, that's taken a chunk out the security budget!
Oh & ask the Transvestite, who's just been switched out of the mens prison for some styling and make up tips, she can help you no end..
Back off to watch the rugby now.