Feeds

back to article TalkTalk subsidiary's customer data placed on the web in IIS whoopsie

Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care. The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the …

COMMENTS

This topic is closed for new posts.
Thumb Down

IIS

nuff said.

No, it isn't. What does the data protection office have to say about all this? Should you not have gone to them for a quote? I bet they would be interested in this sort of thing.

4
0
Anonymous Coward

Re: IIS

"What does the data protection office have to say about all this?"

Nothing. They are too busy chasing us for dropping cookies onto users machines.

Meh.

3
0

Re: IIS

Not.

0
0
Silver badge
Joke

Re: IIS

>They are too busy chasing us for dropping cookies onto users machines.

It was you wot done it, were it? Ooooh. I'm so mad I could crush a grape.

1
0
Unhappy

Re: IIS

"No, it isn't. What does the data protection office have to say about all this? Should you not have gone to them for a quote? I bet they would be interested in this sort of thing."

You're kidding right?

The ICO couldn't give a ***** It's not apublic body, so in the view of the Idiot Control Office - no harm done, end of.

2
0
Silver badge

Re: IIS

+1 for the Stu Francis and Crackerjack reference.

4
0

And Windows Server

For how much longer will we see fake IT professionals recommending microsoft server technologies that are built with fail, by fail, to fail ...

6
6
Anonymous Coward

micros~1 is still profitable, innit?

Even ostensible open source executive guy Matt here on el reg keeps on measuring market size in costs incurred, not useful work done (what places have Combined Heat and Computing plants heating the bulding?) which presumably will drive more of his ilk to do whatever everyone else is doing in their attempts to gain a competetive advantage. So, at a guess, quite a while yet.

And hey, it's not fake. As dear Dominic just expounded: Getting paid by the hour means prolonging the problem. Getting paid more means being more professional. This must be true for the recruiter pro said so.

1
0
Anonymous Coward

Re: And Windows Server

I'm sure you're proud of your little mantra there, but you've missed the point, I'm afraid. This is a configuration error, so in the lap of the dip setting it up. Undeniable that it's poor practice to be open to anonymous access by default, but it's the job of the guy setting it up to make sure the setting are right. Saying "Oooh, it's MS therefore destined to fail!" Is cliched, sad and just untrue.

7
1
FAIL

Re: And Windows Server

Boring, tedious, rhetoric once more.

If the thing is configured incorrectly by the person installing it, that is hardly the fault of the software.

It gets exceedingly stale, the constant bashing of anything MS on these forums. It is of course, fantastic that Linux is always perfect and is never misconfigured.

1
2
Silver badge
Facepalm

Re: And Windows Server

"If the thing is configured incorrectly by the person installing it, that is hardly the fault of the software."

When the software's default position is "Rape me! Have at my datas you randy hounds!" then I'd say that's a problem.

"It is of course, fantastic that Linux is always perfect and is never misconfigured."

A few points:

1) Linux is a kernel, not a web server;

2) No one claimed it was perfect;

3) No one even mentioned it.

If you had cited Apache (or Tomcat or WebLogic or...) then you might have had a point. Too busy following the old rhetoric of "If they say anything anti MS, they must be a pro GNU/Linux, freedom-lving, fanboi. Engage maximum frothing!"

7
1
Boffin

Re: And Windows Server

There's also the small point that usually one wants his web site to be accessible by the world.

0
0

Re: And Windows Server

Right. Because it just works ...

0
0

Re: And Windows Server

That's because you don't understand the topic. It's not about misconfiguration, it's about total fail.

0
0
WTF?

He has a file of "hold music" ??

He must be mentally ill, or at least have spectacularly bad taste.

1
1

How is the fact that IIS allows anonymous access by default a security issue. It is a web server after all and is meant to be used to publish stuff to the world wide web, if you don't want that data published then you remove the anonymous access user or put it behind a firewall etc.

As someone who owns a hosting business and who administers IIS and Apache day in, day out I can vouch for IIS7 as being a very good web server. I actually think the story poster is talking about having directory browsing enabled and I know that by default that is not enabled in IIS so the server admin must have enabled it.

If it is a fail it is for the person who configured the website not IIS itself.

This sounds more like Linux fan-boys out to discredit something they know nothing about...

8
5

Isn't that what the article says?

Hell, it even goes as far as to give the contractor advice on how to secure the server against this (tick a box).

Read the article again.

1
1
Anonymous Coward

@drunk.smile

I'd have thought it was obvious he's referring to the fanboys, genius. (Nice that someone else can actually spell it correctly, too.) Read the comments and get a sense of context. Or the bit on the label about alcohol content ...

0
5
FAIL

The article goes into much detail about how this is a problem specific to IIS, even the title "TALKTALK SUBSIDIARY'S CUSTOMER DATA PLACED ON THE WEB IN IIS WHOOPSIE".

This is NOT a problem with IIS and could just have easily have been enabled on Apache or any other web server software. The article poster is also blaming the anonymous user access when the problem is actually having directory browsing being enabled, if you disable anonymous access then not even web pages can be viewed unless the person logs in to the server. Fail on both the cause and the remedy....

0
3
Anonymous Coward

"could just have easily have been enabled on Apache"

No it couldn't. No GUI ;)

6
0

Re: "could just have easily have been enabled on Apache"

Umm Cpanel, Plesk, ISPConfig, Hosting Controller, DirectAdmin, Kloxo to name just a few GUIs for apache

1
0

This post has been deleted by its author

Anonymous Coward

Really? Both are divisions of the same PLC, run by the same management, accountable to the same shareholders, no?

0
0

This post has been deleted by its author

Silver badge

@AC 09:44

I am a talk talk business customer. A residential one. Freedom2surf was merged with Opal & became TalkTalkBusiness

0
0
Anonymous Coward

Re: @AC 09:44

Why don't you change over to TalkTalk Residential and save yourself some money?

0
0
Silver badge

Re: @AC 09:44

Static ip address, no cap, allegedly no shaping (though I have my doubts), uk call centres, inertia.

0
0
Anonymous Coward

So TalkTalk are basically saying they're not responsible for any data that's not held on their own network? Christ. Given their past phorm form with their StalkStalk product and their run-ins with the ICO, I would have thought they would have raised their game.

3
0
Anonymous Coward

@AC 09:31

Teehee! StalkStalk! Really clever! Don't forget to show it to your primary school teacher.

0
11
FAIL

Re: @AC 09:31

Try not to be an annoying, petty, pedantic little nutsack for the rest of your life, eh? Have a day off. Stalk Stalk is what people have been calling this company since 2008 and the Phorm fiasco.

SWAG: It used to mean screwed without a GUI. Now it seems they're screwed even with one.

MCSE: Must consult someone experienced.

5
2
Anonymous Coward

Re: @AC 09:31

Talktalk weren't involved with Phorm. You're mixing it up with BT.

0
0
Anonymous Coward

Thanks Reg!

My bad. I've fixed it now. Thanks for pointing it out!

0
1

This post has been deleted by its author

Megaphone

Even if this is not their problem, for their rep to come out with "It's not one of our servers, so it's not our problem," is really bad, shows them in a bad, uncaring light and gives the opportunity for negative headlines, although it is quite refreshing to see a straight forward answer with no canned, cliched statements, weasel words or other bullshit that is so common from any big company these days. .

Now if we could just get them to do that AND take responsibility for their actions, we would be going in the right direction.

2
0

This post has been deleted by its author

WTF?

If you're going to accuse the articles author of inventing quotes then you need to provide evidence. Until then we'll just assume you're the one making things up, ok? You are after all posting as 'anonymous' which doesn't give your version of events any credibility at all.

3
1

This post has been deleted by its author

You are accusing the author of lying, I think that requires some backup even if you don't.

Otherwise you just look bitter.

1
0

This post has been deleted by its author

Anonymous Coward

Suprising

Because Talk Talk are well known for their excellent customer service.

1
1

Re: Suprising

My sarcasm detector just exploded.

2
0
Silver badge

Re: Suprising

my detector of exploding sarcasm detectors just exploded.

0
0
Bronze badge
Facepalm

slap head

hmm

"Our firewalls are all secure"

A firewall is not a complete way of securing your network or data >_<

0
0
Anonymous Coward

Re: slap head

They didn't say their data were secure because of firewalls, just that the firewalls /themselves/ are secure. Or maybe they mean they started the firewall with the "secure/insecure" setting set to "secure".

0
0
Silver badge

Re: slap head

"A firewall is not a complete way of securing your network or data >_<"

No, but if someone says that an external system is connecting into your internal network, that's a reasonable part of your response statement.

0
0
Bronze badge

Re: slap head

And "Our firewalls are all secure" wasn't the answer the the question asked, either.

Hell, there are a bunch of secure firewalls in North Carolina, too....they're still in the box.

1
0

This post has been deleted by its author

Eh?

Since this piece was published TalkTalk has supplied the Register with this statement:

"We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.

We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities."

I realise it is sometimes difficult to understand the 'help desk' but are you certain that the above is correct?

Normal advice is to turn various things on and off.

1
0
This topic is closed for new posts.