back to article Ex-TalkTalker TalkTalks: Records portal had shared password. It was 4 years old

Fraudsters who attempted to scam TalkTalk customers by using records of their maintenance engineer visits are thought to have bought that info from current or former staff. According to one ex-TalkTalk employee, who asked not to be named, the company uses a third-party system called Qube Portal to book visits and record …

  1. Andy Non Silver badge
    Coat

    Memo

    Memo from TalkTalk to all engineers:

    As a security measure, the four year old shared password "password" has now been changed to "123456".

    1. Phil W

      Re: Memo

      Obligatory response:

      That's the kind of password an idiot would have on his luggage.

      1. Known Hero
        Thumb Up

        Re: Memo

        @phil W I watched that film yesterday with the kids :D

        Upvote for the great film reference

      2. davidp231

        Re: Memo

        "Amazing! That's the same combination on my luggage! Remind me to get it changed."

        - President Skroob.

        *I know the actual quote refers to 12345 but hey ho.

    2. Anonymous Coward
      Anonymous Coward

      Re: Memo

      I worked for a year with a system that used the password changeme.

      1. Anonymous Coward
        Anonymous Coward

        Re: Memo

        RM machines in schools had the bios password 'rm'.

        Trival to root the machine once you can change the boot order.

        1. Anonymous Coward
          Anonymous Coward

          Re: Memo

          Back when RM did modified builds of Windows 98, there was a guest account that anyone sane would disable; this had elevated 'teacher' privileges including the tool teachers could use to reset a pupils password without having to go and find someone from IT. You can guess where this is going, can't you.

      2. Andy Non Silver badge

        Re: Memo

        An eon ago I went on a DEC security course. During the morning coffee break I sneakily logged into the site's terminal server using the default password of "password" and changed it to something else. The "security guru" teaching us about DEC security was somewhat puzzled when he couldn't access his server but he did see the funny side when I told him I'd changed the password.

      3. PeteA
        Facepalm

        Re: Memo

        ... and in the early days of my work-life, I was once forbidden from changing the password away from "changeme" because that's what was in the manual.

    3. Dan Wilkie

      Re: Memo

      I guess I'm the only one who saw that and immediately had flashbacks to Crusader: No Remorse? (Seriously, how has that not been recreated on a modern engine. Isometric games ftw)

    4. BlartVersenwaldIII
      Joke

      Re: Memo

      You heard it here first folks (after reading it on USENET decades ago anyway) but I can present to you an exclusive scoop of the TalkTalk security memo that was sent out last year informing all employees on proper security practices. If you read the list carefully you can see they were using an ultra-secure method to pick their passwords so this was clearly an inside job by lunix hackers.

      ============================

      CORPORATE DIRECTIVE NUMBER 88-570471

      In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately.

      RULES FOR THE SELECTION OF PASSWORDS:

      1. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password.

      2. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords.

      3. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password.

      4. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March.

      5. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words.

      6. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other.

      7. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password.

      Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.

      1. VinceH

        Re: Memo

        I have genuinely never seen that before - after just over 20 years online!

    5. MyffyW Silver badge

      Re: Memo

      In the spirit of recent El Reg articles on aged hardware, perhaps we could start a "I've got a password that hasn't changed since year dot" thread?

      Cue the sound of a thousand service accounts grinding to a halt.

  2. wolfetone Silver badge

    Not Surprised

    Why would a company bother spending lots of money in their IT systems, when if it's perceived that "if it ain't broke, don't fix it"? Money spent securing internal systems that customers can't see doesn't return any profit on that investment. At the end of the day, the business exists to make money for it's shareholders, not to keep customer data secure nor deliver an amazing customer experience. They want to get away with the bare minimum, and when something goes wrong the PR department spin it as "well it was a sophisticated attack and we take every effort to protect our customer data" and "our customers privacy is very important to us".

    Liars. Their customers dollar is important to them, not the fact their details aren't secure and can be sold to all and sundry.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Surprised

      Right, but their customers are total plebs who don't know any better.

      You know Andrews & Arnold for example do know what they're doing behind the scenes, and will in fact keep your data secure.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not Surprised

      Except sadly, that's a very short sighted approach and is exactly the reason TalkTalk has shed customers by the bucketload, and profits with them. Strong, well enforced and audited security = secure customer data = reduced risk to profit. Not exactly rocket science, yet for some reason our biggest ISPs and Telco's seem to be ignorant in this area...

      1. Brewster's Angle Grinder Silver badge

        Re: Not Surprised

        "Strong, well enforced and audited security = secure customer data = reduced risk to profit."

        TalkTalk may have lost customers. Their profits may have been dented. But, unless you have numbers, I speculate the cost of doing this right will exceed their losses. We need a regulator who can give them a good kicking in the dividends and whistle blowers who are willing to testify.

        1. Hawkeye Pierce

          Re: Not Surprised @Brewster

          >> I speculate the cost of doing this right will exceed their losses.

          I disagree with that. The cost of doing this right IN THE FIRST PLACE would have been less than they will lose from the incident. By the time you factor in the lost customers, the help desk costs to handle the increased calls, the incentives they've made to those customers to encourage them to stay plus the significant costs they've had in hiring in security consultants to bolt the stable door, that's going to be far in excess of the relatively low costs to do things right in the first place by employing competent staff (devs + managers) and to pen test the system.

          1. Brewster's Angle Grinder Silver badge

            Re: Not Surprised @Brewster

            "I disagree with that. The cost of doing this right IN THE FIRST PLACE would have been less than they will lose from the incident."

            Talk Talk says (PDF) the "trading impact [was] £15m" and they're estimating 0.6% customer loss due to the cyberattack. (Offcom says they have 16% of the UK's 27 million households so about 26,000 people were pissed off enough to move.) That churn is 50% more than normal.

            It looks like they moved sales to helpdesk, and are blaming that for reduced sales and lower customer numbers. For that reason they missed out on revenues of £40-£45 million.

            I guess the £15 million includes the consultancy fees. But those fees would have had to have been paid at the start to make sure it was right (they're a corporation: they don't believe their staff unless a consultant agrees) and they would have no doubt incurred on-going costs in ensuring continued compliance.

            But lets say you're right and they could have spent £1 million over four years and been £50 million richer. So what? They expect to grow dividends. They're profits might grow slightly slower than they'd hoped. But the message to shareholders is everything is recovering and there's nothing to worry about. QED

        2. Alan Brown Silver badge

          Re: Not Surprised

          > We need a regulator who can give them a good kicking in the dividends

          ICO won't do it.

          > and whistle blowers who are willing to testify.

          Current laws don't protect them well enough.

        3. Vic

          Re: Not Surprised

          We need a regulator who can give them a good kicking

          I'd like to see a law that puts manglement in the firing line.

          If you have a database of customer details, your management team's details need to be in there as well. If it contains bank details, management's accounts are there as well.

          So if the database gets taken - the team who penny-pinched the security face the same consequences as their customers.

          It needs tuning of course - e.g. to prevent them setting up bank accounts specifically to circumvent this - but the guts of the idea is there...

          Vic.

        4. Coyote63

          Re: Not Surprised

          The cyber attack on Talk Talk according to their board cost no more than £35m including remedial measures.

          However the share price dropped by £750m - not just due to the cyber attack but that was a major contributory factor.

          Source Anthony Hilton in the Evening Standard 13th January

          I am sure this will have seriously kicked their dividends....

    3. Anonymous Blowhard

      Re: Not Surprised

      "Money spent securing internal systems that customers can't see doesn't return any profit on that investment"

      This is one of the main jobs that we expect governments to perform; regulation of business so that companies who do the right thing (providing safe products, protecting personal data etc.) are not at a competitive disadvantage to those who don't.

      Fines should be big enough to affect the profit of a non-conforming company so that it makes the decision that doing things correctly is a profitable investment.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is one of the main jobs that we expect governments to perform

        Part of the difficulty is that the security gurus have gotten so paranoid, the tools you'd use to implement certain things have been disabled. For example, the government office in which I work has no approved tool to change the local admin passwords on any of the PCs. So it never gets touched.

        1. Alan Brown Silver badge

          Re: This is one of the main jobs that we expect governments to perform

          "For example, the government office in which I work has no approved tool to change the local admin passwords"

          This is a case of Dunning Kruger effect writ-large and the "security gurus" being well out of their depth in the first place.

      2. Alan Brown Silver badge

        Re: Not Surprised

        "Fines should be big enough to affect the profit of a non-conforming company"

        Fixed fines are part of the issue. The ones which allow "up to N% of turnover" are the ones which hurt most, provided regulators are brave enough to impose them.

        Rewriting laws so that fines can't be claimed as tax-deductable would help a lot too.

  3. Duffaboy

    Defunt retailer

    I used to look after servers of a big high street retailer (no longer with us) who had no password whatsoever on their servers

    1. JQW

      Re: Defunt retailer

      Back in 1999 one UK high street name had 'password' as the password for their HQ NT domain administrator. The irony is that all over their head office were posters stating the company's commitments to strong IT security.

      This company is still trading.

    2. Captain Scarlet

      Re: Defunt retailer

      :O a guessing game!

      My turn:

      Woolworths?

  4. Tony S

    Not at all surprised.

    I remember seeing a green screen application some years ago at a big company. Most of the staff had access to this, without needing any form of security control. I believe that they had something like 400,000 customer details in that particular system.

    That was a system based / managed in India. Used by some call centre staff there, but also by several call centres in the UK.

  5. alun phillips

    No further complaints, eh?

    What about the one radio 4 reported to them as occurring last Saturday 6/2/2016? This is still a problem

  6. Anonymous Coward
    Anonymous Coward

    ICO should open another investigation.

    "Some of these reports can be somewhat humorous. For example: 'Customer answered door wearing an adult nappy*'."

    Doesn't sound like this private data is needed for the bisness purpose that TT is supposed to be providing.

    1. Anonymous Coward
      Anonymous Coward

      Re: ICO should open another investigation.

      If the customer is appearing like this for their own dubious, presumably sexual, gratification, I think it's perfectly reasonable to note it down, particularly if it becomes a repeat performance. Would you want you wife, husband, partner, etc. becoming a part of a customer's lifestyle choice just because they happened to be assigned that particular call. Not all situations are as humorous/desirable as a 70s-style Confessions Of A Window-cleaner and could be genuinely alarming for someone simply trying to do their job.

      1. Calum Morrison

        Re: ICO should open another investigation.

        Thumbs down - seriously? I know El Reg is a broad church, but I didn't realise it was such a hotbed of adult nappy wearing. FFS, do as thou shalt but don't involve the rest of us, please.

        Truly, speaking as someone who has done this kind of job, you do find yourself being part of peoples' "other interests" and it's not fair. Someone appearing at the door in a state of undress is a legitimate concern, particularly if it became a habit. That is offender's register stuff, whether you choose to believe it or not.

        1. Anonymous Coward
          Anonymous Coward

          Re: ICO should open another investigation.

          My first paid employment was as a television repair man, it's really not fun rocking up at a client's home and finding out they want to enact some scene from a dodgy 70s 'confessions' film and have dressed for the part too.

        2. Darryl

          Re: ICO should open another investigation.

          "particularly if it became a habit"

          I see what you did there

    2. Peter X

      Re: ICO should open another investigation.

      "Some of these reports can be somewhat humorous. For example: 'Customer answered door wearing an adult nappy'."

      Doesn't sound like this private data is needed for the bisness purpose that TT is supposed to be providing.

      If the customer concerned had these details leaked* and this particular bit of information, I'd say [IANAL] they'd be sue the crap** out of TT.

      * No. Just no.

      ** Still no.

  7. Anonymous Coward
    Anonymous Coward

    Talk Talk is another name for 'Failure'

    TT are the people who refused to log a fault with a landline because the person who was reporting the fault didn't have a mobile for TT to call them on.

    Not only did the person with the Landline not have a Mobile they lived in a 'Not-Spot' where none on the carriers had a usable signal.

    The Indian droid on the end of the phone refused to believe this.

    Bribed a friendly OpenReach bod with a few 'at the weekend pints' to fix the issue.

    Moved from TT the next day.

    Why is this company allowed to do business? It is one abject failure after another.

    Come on OFCOM close them down before they do any more damage.

  8. RISC OS

    TalkTalk said it was considering cutting ties

    Only considering???

  9. Anonymous Coward
    Anonymous Coward

    Twat twat

    Bunch of useless wankers.

    I'm not surprised about the adult nappy bit, the stress of dealing with twat twat (no) support had probably caused a mental breakdown and a return to childhood.

    1. Anonymous Coward
      Anonymous Coward

      Re: Twat twat

      They've not improved anywhere nea THAT much

  10. chivo243 Silver badge
    Headmaster

    outsourcing

    in this case it sounds like outscamming, outstanding!

  11. anthonyhegedus Silver badge

    Fucking cunting bunch of motherfucking wank-shit cockwombles!

    And they won't let people leave prematurely. That business is not fit to call itself a provider of any services!

    - shared password known by thousands

    - 1000s of staff in a foreign territory not covered by our laws

    - reports of criminal behaviour at these foreign sites

    - password not changed in years

    They are a shambles, utterly and totally. Wouldn't trust that dildo woman in charge to pour piss out of a boot with the instructions written on the heel!

    1. Ol' Grumpy

      Valid points but you get the upvote for "cockwombles"

  12. Ken 16 Silver badge
    Thumb Down

    I'd be more embarassed

    at using a generic password that doesn't change for years than at wearing a nappy in public

    1. Groaning Ninny

      Re: I'd be more embarassed

      I've seen the photos

  13. Ian N
    Paris Hilton

    Nappy Schnappy

    Jack ("Get Carter") Carter had just a shotgun on his door step. He did meet a sticky end though.

    Paris, cos she became famous for appearing in the buff.

  14. Dave K
    Joke

    Obvious...

    'Customer answered door wearing an adult nappy*'

    He was obviously expecting a load of crap coming his way...

  15. zaax

    Why do they need your date of birth?

    1. WolfFan

      Why do they need your date of birth?

      So that they can know if it's legal to ask for a credit card or if it's legal to offer the service to them. In some jurisdictions people have to be at least <yearsOld> to be legally able to get credit cards. Someone younger than <yearsOld> would probably have to pay by cash, assuming that they could legally be sold the product at all, something unlikely. For many service calls, the dispatcher will state that there must be an adult who can legally make decisions on the account be present throughout the call.

      1. Dan 55 Silver badge

        Billing will have been set up beforehand, the engineer doesn't need to know their date of birth and in any case the engineer just isn't going to be able to take cash payment with all the logistics that entails (transport, security, etc...).

  16. TechicallyConfused

    Not just Talk Talk

    We have had a "BT Engineer" calling us trying the same scam. His downfall though was that he simply wasn't credible as a BT call based engineer, he wasn't Indian and I could understand what he was saying, so immediate alarm bells there from the outset.

    If anyone from a services company calls you ALWAYS ask for the name and a call reference and tell them you will call back. Go online, find the relevant number on the website and call that and give them the reference and name.

    1. adnim

      @TechnicallyConfused Re: Not just Talk Talk

      When does anyone from a service company call anyone legitimately? When a support call is raised, they usually blame a third party, say we are aware of the issue and just hope one goes away.

    2. John H Woods Silver badge

      Re: Not just Talk Talk

      ^^THIS

      Unfortunately the banks, utilities etc. and everybody who is always nagging customers to "be safe" have been the principle agents in softening up people to the point they'll answer all manner of personal questions on the phone. I never [1] take such calls.

      [1] I'd be prepared to take a call from an entity that could prove it's identity, and we all know that it is technically possible, but I have yet to come across one that actually can.

      1. John Mangan

        Re: Not just Talk Talk

        Actually, I've been called by my bank (First Direct) on two occasions for the purposes of fraud prevention and on both occasions as they started the 'for security purposes . . .' spiel I interrupted with 'You called me, prove who you are." And they did!

  17. hatti

    The moral of the story

    Change your nappy, change your password.

  18. This post has been deleted by its author

  19. adam payne

    Talk Talk is the company that just keeps on giving.

    A four year old password that is shared around thousands of people and worse for a system that houses customer information.

    *facepalm*

    What the hell were they thinking or in this case not thinking?

    1. TheOtherHobbes

      Can we have the obligatory "The security of our customers is our Number 1 priority" PR drone speech now?

      >What the hell were they thinking or in this case not thinking?

      Probably "I'm much too important to be bothered with these technical details. How much money did we make last week? How's the share price? And can you see if Dave and George are free this weekend for a spot of Cotswold cockwombling?"

  20. Anonymous Coward
    Anonymous Coward

    I've seen worse

    At my current assignment the local admin password on the desktops hasn't changed since I got here in spring of 2013. We've got 5 support techs at the moment and four network techs. I'm aware of at least four people who have cycled through. Not sure when it was first set, but based on tales I've heard I'm guessing it's at least 7 years. Granted, it's a nice complex password even though it's easy to remember after hearing the tale about WHY it was set, but still...

    Anon for obvious reasons.

  21. Bota

    "Customer answered door wearing an adult nappy*'."

    Like I told my wife, I ate KFC and it gave me a bad stomach,honestly, this isn't what it looked like.

  22. John Brown (no body) Silver badge

    Spin spin spin

    engineering companies used by TalkTalk and several other providers....

    "...We understand that customers of other companies may also have been targeted in the same way during this period."

    So first they denied it happened at all and now it's "well, it's not our fault, look, other companies use these people too and look, they had the same problems too.

    Well, boo fucking hoo. TT have a contract with the customer. Them choosing to use a possibly dodgy 3rd party company isn't the customers problem and TT are still liable.

    Even worse, how did TT manage to find out in just a few days that the "3rd party" companies other customers have also been scammed in the same way? Either that was some uncharacteristicly fast work, some uncommon inter-company honesty, or they ALREADY KNEW about it and were ignoring it.

  23. Mark Allen

    Poor customers - literally

    The depressing side of this is what is happening to the TalkTalk customers when they get hit with this phone call. It is a clever call involving a number of "departments".

    People on TalkTalk are often on it because it is "cheap" and they don't know better service exists. They are rarely computer literate. A lot of retired people are on this network. Unluckily a lot of retired people are too polite to hang up on phone scammers. Among my clients it is noticeable that those who have fallen to scams tend to be older and believe the scammer on the phone. I know of three people (aged 73, 80 and 96) who were all caught on this TalkTalk scam. They lost between £1500 and £7000 each! And they have no one to turn to as bank can't recover the cash due to the way the customer hands over all their financial details to the scammer. I also don't expect local police to get very far on this either.

    I don't blame the scammer for the loss - I directly blame TalkTalk. Someone needs to take them to court over this mess.

    1. Mark 85

      Re: Poor customers - literally

      I don't blame the scammer for the loss - I directly blame TalkTalk. Someone needs to take them to court over this mess.

      Actually, if you think about it, they both are to blame. One for being a miscreant and scamming innocent people who are probably the one's who can least afford it, and the second for having lousy security and abusing their customer relationship by engaging in less than honest dealings. The BS coming out of the TT front office is appalling.

  24. Anonymous Coward
    Anonymous Coward

    Why would the Qube portal store the end user's date of birth? This is a portal used by various companies to book Qube engineer tasks. I just don't see why Qube as a contractor would need to know anything more than the end user's name, contact number and address. Working, as I do, for an ISP I have never come across a sub-contractor (sorry, service partner) portal that needs any more information than that, plus of course service details, task details and free text fields for special instructions such as access arrangements (usually RARA).

    1. Cpt Blue Bear

      I've come across this twice. Its the result of using an off-the-shelf solution and being too cheap to customise it.

      The second case was slightly more complex: they picked the cheapest quote and then got upset when the vendor submited an extra bill for "variations" that weren't explicitly part of the original quote. The vendor put them on the bottom of their priority list, I presume on the basis that paying customers come first and this job wasn't profitable. In the end they got sued by the supplier for non-payment. The vendor made a loss and they ended up with a shitty system that only partially did what they needed.

      But I digress, the result was a number of mandatory fields that are inappropriate or pointless. The solution we suggested was to fill them in with standard but nonsense data. If it got "lost" or "stolen" at least it would raise an instant red flag when someone tried to use it.

  25. Wiltshire

    Breaking news, BCS, the Chartered Institute for IT, wants the government to make 'reckless' disclosure of data through inadequate security to be a criminal offence. Not sure who's going to decide what "reckless" means or what the thresholds are. But surely TalkTalk looks like an excellent test case?

  26. Picky
    Unhappy

    Talk Talk Talk

    Several years ago one of my clients changed to TalkTalk - without telling me. It was a pub in Birmingham with a few Wifi boxes and a Smoothwall firewall. After 5 HOURS on the phone to them all they could come up with was to reset to factory defaults - which was not going to happen as it would break everything else. Yes they do like to talk Talk Talk ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like