back to article UK telco TalkTalk confirms probe into alleged data grab underway

UK broadband and TV provider TalkTalk says it's currently investigating claims made on cybercrime forums alleging data from the company was up for grabs. An individual using the handle "b0nd" laid claim to a batch of data, which they claimed relates to nearly 19 million current and former customers of the British telco. A …

  1. simonlb Silver badge
    Stop

    one of our third-party supplier's systems

    Well you will keep offshoring outsourcing stuff to reduce your costs, but is anyone ensuring customer data safeguarding is mentioned in the contracts you are signing with those third-parties? I'd guess probably not.

    1. Korev Silver badge
      Coat

      Re: one of our third-party supplier's systems

      Yeah, it's not that Harding to understand...

    2. Lee D Silver badge

      Re: one of our third-party supplier's systems

      Doesn't matter.

      No matter what the contract says, it's still TalkTalk's problem from a legal point of view.

      Sure, they might be able to sue their contractors AFTER they get sued themselves for failing to meet standards, but they cannot just move liability elsewhere by signing a form.

      It's one of the best bits of data protection. You touched the data? Then it's your problem. All the way down the chain. But primarily with the company/person that collected that data in the first place.

    3. BartyFartsLast Silver badge

      Re: one of our third-party supplier's systems

      Makes not one iota of difference who it was outsourced to, but I get your point, when you offshore stuff like this you have to be insanely diligent when you sing the contracts and keep on top of the contractor

  2. Anonymous Coward
    Anonymous Coward

    The support people probably suggested a manifestly impossible cause and instructed them to "cure' it by unplugging it and plugging it back in again and, if that didn't work, ring again wait an eternity for for an agent who wouldn't be able to do anything except offer a callback (which wouldn't ever happen).

    Several months later they'd get a survey request to ask how they thought TalkTalk had dealt with their "incident", which would be described as something completely unrecognisable.

    I'd use the word fuckwits but there are probably fuckwits reading The Reg who would be severely offended at having TalkTalk compared to them.

    1. Anonymous Coward
      Anonymous Coward

      My mum is on Talk Talk and was once called by the Indian scam merchants saying they were from Talk Talk, spotting problems with her computer and wanted to help. She said "I don't believe you because Talk Talk have never wanted to help me in the past and I don't think they do now." She then hung up and they haven't called back yet.

  3. Tron Silver badge

    No longer perturbed.

    I think we have already passed the point at which our data has all been hacked by somebody at some point. Just keep an eye on your bank statements and ignore all dubious contact by phone or online. As we should all do anyway.

    Most data has no scalpable value. The amount of effort you have to put in isn't worth the risk for the maximum financial return. Hackers are pros now and concentrate on juicy targets.

    The first hack of user data from the UKG's new age verification ID grab will be interesting. The state forced people to use it, so the state should be liable for proper financial compensation.

  4. PB90210 Silver badge

    Again?!?!

    "given our ongoing focus on protecting customers' personal data... oh look, a butterfly"

    1. Kane
      Joke

      Again?!?!

      "given our ongoing focus on protecting customers' personal data... oh look, a butterfly"

      SQUIRREL!

      1. Korev Silver badge
        Coat

        SQirreL injection?

  5. wolfetone Silver badge

    So they learned nothing from last time then. Good to know.

  6. Swordfish1

    Probably explains the phishing emails, I get several times a day, having been a former TT subscriber. I never trusted TT when they outsourced customer services to Mumbai. Additionally, if this is true, I hope they are going to compensate everyone affected.

    1. Anonymous Coward
      Anonymous Coward

      Further east now...

      When it was in Mumbai there was a better level of quality than what they now have. It has headed off to a far cheaper country.

      Had to phone the "support" on behalf of a client. Client had called support, "support" told them to reset their router with a paperclip. This cut them off more than they already had been as now router did not have ADSL username to login. I spent most of an hour on the phone with them trying to get someone with a brain to give us a working ADSL Username and password. And no, I don't mean the Wireless password. And no this is not a TalkTalk router. No we don't want to buy a new TalkTalk router..... ARGH!! Might as well of been talking to a piece of wood.

      Literally the only solution to get client back online was to sign up with a new ISP and wait for the ADSL to pass across. So there was some bonus of saving money and getting a better service. Should thank TalkTalk for that I guess.

      1. sten2012

        Re: Further east now...

        > And no this is not a TalkTalk router

        Well I can pretty much guarantee talk talk don't support third party routers so a significant portion of the blame falls on your client for blindly following their rules on their own hardware.

        Whenever reaching out to support for these crappy consumer level services (even when they offer "business" contracts) the golden rule is to grab their dusty hardware out the cupboard and connect that so you can go through their inevitably failing checklist until they can no longer deny the problem is their end.

    2. lybad

      I think there was a major attempt at phishing before Christmas - turns out at least two people I know fell for it, after which all their emails and contacts in the TT email system were deleted, and in one case a filter was applied so that any emails arriving were redirected. This meant that the person then lost access to Facebook briefly, and begging emails were sent supposedly from the targetted address with a reply-to of a different one, with a similar username but different domain. We know of requests to buy Amazon and Air BnB vouchers.

      We did manage to get back into the accounts, and throw other logged in machines out and get control back. I then got the person to set up MFA as well, which is a problem as some older people don't understand how to properly secure their systems.

      1. chriskno

        Ageist comments not appreciated

        Why are you putting in an ageist comment in your post? There are many people of all ages who are not technically very competent, and equally there are many older people who are very technically competent. I started my career in IT in 1969 and am still active in the industry.

  7. John Smith 19 Gold badge
    Coat

    Again

    New Chairman, new data loss.

    Are they still shipping every page you view to China for your "Safety"?

    F88king useless.

  8. Like a badger

    To be fair, what do their customers expect?

    If you or I bought the cheapest, shittest offer from a third rate company with a track record of crap ITsec, then we'd be neither surprised nor especially unhappy when our data got nabbed. So I assume Talktalk customers are similarly accepting.

    1. DoctorPaul Bronze badge

      Re: To be fair, what do their customers expect?

      I'm currently with TalkTalk but not from choice! I was on a deal with Shell Energy broadband (after Plusnet refused to do another deal on renewal) when the whole of Shell Energy was bought by Octopus Energy, who then sold the broadband part of the business to TalkTalk. Having spent years telling people not to touch TT with a bargepole I was not best pleased!

      That said, I use my own router, have DNS handled by Pi-holes pointing upstream to Cloudflare and run my own domain on Mythic Beasts* for email so I just need them to keep the link up and I'm good. Also registered with them using a disposable email address, catch-all redirection at Mythic makes that trivial to implement. Don't see why I should pay a ransom to them to leave early, so I'll sit it out and then jump ship the moment the contract expires.

      Compare that with a family friend that I tried to move off TT after the original data breach would have emptied her bank account had the bank not pre-emptively blocked the transaction. In the end I was basically pleading with her to move supplier and when she visited us I sat her down at my computer and got ready to get her signed up elsewhere. Like a horse baulking at a fence, she simply "refused" and wouldn't do it. "Maybe I'm not allowed" - she was years out of contract. "They may be upset with me" - so what? I never did get her to change and assume she's still with them.

      * One of many excellent tips from the commentards of this esteemed forum

  9. Terry Barnes

    Maths

    How can they have leaked data for around five times as many customers as they actually have?

    1. Like a badger

      Re: Maths

      You missed the words "current and former".

      As with almost all data breaches, the idiot company concerned has retained old data that it probably only needs for formal record keeping in an internet accessible form. You have to wonder why nobody asks the question "how much of our data can we archive offline?"

      1. Richard 12 Silver badge

        Re: Maths

        The claim is probably the number of records, not the number of customers.

        Perhaps everyone who has ever been a customer, listed every time their data was updated?

      2. Alan Brown Silver badge

        Re: Maths

        "the idiot company concerned has retained old data"

        Which means they've broken the rules of GDPR. This could get "interesting" and not in a good way for TT

    2. Vestas

      Re: Maths

      ....because they asked for a phone number, name, email address and premises address from anyone who ever asked for an online quote/price for their "services". Said data should have been deleted for anyone who didn't take up a contract with them but doesn't appear to have been.

      Clearly they retained that data for marketing purposes, which if anyone actually enforced this sort of stuff MEANINGFULLY in the UK would leave them up shit creek in terms of fines and liability.

      They don't so its just more "meh whatever" fail in the UK. Nothing will change until directors limited liability is removed, which it never will be as they're the ones giving "gifts" to MPs.

      1. Tron Silver badge

        Re: Maths

        If they are fined, they will just hike their fees to users to pay for it.

        1. sten2012

          Re: Maths

          So what though? If talk talk weren't so bottom barrel then this data wouldn't have been leaked yet again.

          Ultimately, investing a absolute bare minimum amount in actually securing data should be cheaper than not doing so. If failing to do so means you have to push prices higher than the competition to cover fines - I'd call that the system working as intended.

          Talk talk going out of business: shame for many of the employees but the overall market size doesn't shrink so hopefully most could find jobs at those competitors that take their share and do give a crap about complying with laws.

          This idea that fines are cheaper than complying with laws is a major reason this country is in the toilet (or at least swimming in sewage).

      2. Alan Brown Silver badge

        Re: Maths

        "Nothing will change until directors limited liability is removed"

        Directors don't HAVE limited liability. Shareholders do as a shield if the company goes under but directors are responsible for their decisions

        Unfortunately thanks to decades of fat brown envelopes, that doesn't get enforced

  10. tiggity Silver badge

    Scum

    The 3rd party excuse does not wash - it was a TT decision to outsource for shoddy service cost cutting, thus they are fully culpable, as outsourcing does not magically remove your responsibility.

    e.g. say I was looking for a company to provide physical overnight security of a warehouse & I, performing lacklustre checks, gave it to a cheap bidder. Warehouse later robbed. Turns out the security night watchman **was a deaf, blind, quadriplegic * - then it would be my responsibility for inadequate vetting of the 3rd party.

    * No offence to people with severe disabilities (blind in one eye myself!), just an example of inappropriate characteristics fir a night "watchman"**.

    ** Yes, either sex could do the job, just using the common usage term.

    .

    1. Roj Blake Silver badge

      Re: Scum

      The problem with hiring watchmen is you think you're getting Doctor Manhattan but you end up with Captain Metropolis or Dollar Bill.

  11. Gordon 10 Silver badge
    Black Helicopters

    Am I the only one thinking....

    ... that by a limited 3rd party Vendor, they are underplaying something major like a Cloud CRM or Database breach?

    Me Cynical? Surely not!

    Presumably at 9 years post Dildo the entire management collective memory has been erased. Rather like a goldfish discovering a bowl ornament for the first time. Oooo look a Data Breach..<short time passes>...Ooo look a Databreach

    1. Alan Brown Silver badge

      Re: Am I the only one thinking....

      Companies are like amoebas - they CAN be trained, but it takes a hefty punishment repeated a few times to teach them aversion to doing things

  12. John Smith 19 Gold badge
    Unhappy

    "The current total is closer to the circa 2.4 million mark"

    Many of whom they probably picked up when they bought up smaller ISP's and haven't got round to dumping them due to s**t service.

    Some of them will have been old TT customers that were (forcibly) rejoined to TT.

    So yes 11million might be possible given the amount of churn in a large ISP's customer base.

    Seriously from a customer PoV is there any benefit going with a large ISP? Vermin used to be the only viable FTTP but now Openreach have decided to stop milking copper wires anyone can get in on that game.

  13. Anonymous Coward
    Anonymous Coward

    Di do, Di do, your data's been exposed

    It's not like they've got form for losing sensitive client data, you're being so Harding on them...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like