TalkTalk plays 'no legal obligation' card on encryption – fails to think of the children (read: its customers) On Sunday morning, embattled TalkTalk boss Dido Harding crassly stated that her company was under no legal obligation to encrypt customers' sensitive data. Her brutal – and, some might say, foolish – comment came a day after the budget telco confirmed that some of its subscribers' credit card details had been stolen in a raid …
What happened to Duty of Care?
Talk Talk is (supposed to be) a professional company operating in the IT arena and, as such, should have been perfectly well aware of the risks when they specifically decided not to encrypt data..
They DID think about it, didn't they?
"I am not legally required to close and lock my door; but if I'm burgled, then I'm at least partly responsible."
No you're not. Not legally, nor morally.
The law prohibits you from entering my premises without my permission. The door being unlocked, or even open does not give you any rights whatsoever to enter. That is the law.
The law prohibits you from removing objects from my premises without my permission. The door being unlocked, or even open does not give you any rights whatsoever to enter. That is the law.
In Canada it is perfectly normal to leave doors unlocked, and many of us (Toronto doesn't count, ever,) do this all the time.
The same moral and legal concept applies to pretty much everything. A woman is not "asking for it" by wearing revealing clothing...or even no clothing at all. You have no right to touch or fondle her, let alone rape her. Nothing she wears (or does not wear) makes any part of your actions her fault.
These are not difficult concepts to understand. The burden of legal responsibility is on the individual who chooses to break the law. You do not "entice" someone into breaking the law by not employing devices or techniques designed to thwart would-be lawbreakers.
You simply can't run a society where people are legally responsible for the choice of others to break the law by not participating in an ever more expensive and unwinnable arms race.
It's called blaming the victim. Look it up.
Now, that said, Talk Talk should have goddamned well encrypted everything. Not due to legal obligation, but because it is a minimum best practice for the data they handle and as such a mark of professionalism.
Now, if we - as a society - believe that the arms race has gotten to the point that we must mandate minimum security measures, then by all means do so. An open public debate leads to laws and those become the laws we all must abide by. It becomes a universal cost of doing business.
But don't blame the victim. You are not in any way responsible for someone breaking into your house. That's on them. They made the choice.
If, however, you are guarding other people's things in your house, your duty of care to those other people may mean that you take precautions against the cold hard realities that there exist people who will break the law.
Are you capable of understanding the differences?
> "I am not legally required to close and lock my door; but if I'm burgled, then
> I'm at least partly responsible."
>
> No you're not. Not legally, nor morally.
Your analogy of blaming the victim doesn't apply here; in this case the victim is the customers who trusted talktalk with their payment details, and regardless of specific law about encryption, talktalk had a duty of care to these customers which it neglected.
Falling back on the absence of a specific law requiring encryption is both pathetic and contrary to the concept of common law ( or as the merkins would call it, case law ). I suspect that if this ended up in court in the UK, or the US, that there would very soon be a law requiring such data to be encrypted. The law is whatever the judge says it is, and this kind of bullshit is why.
A) Those companies, like TalkTalk & Sony who know they have been hacked, sacked & dumped
and
B) the rest of the companies who don't know (yet) that they have been hacked, the pillaging is still ongoing!
implement: encryption, multifactor authentication, air-gaps etc - don't they understand the internet?
I think you'll find that *Baroness* Dido Harding, if you please, is a member of the Government's Business Advisory Group, and her husband John Penrose MP is Lord Commissioner (HM Treasury) (Whip) and also Parliamentary Secretary to the Cabinet Office.
She's not going anywhere.
Talktalk are currently emailing customers stating "We constantly review and update our systems to make sure they are as secure as possible..."
Dido said "It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper. "We have complied with all of our legal obligations in terms of storing of financial information."
How can they get away with lying TODAY to their customers, after all that has happened?
> We constantly review and update
> It wasn't encrypted, nor legally required to encrypt
= False advertising and failure of contract
= a get out clause. Close the account immediately and let the bastards sue you. You won't go to prison but even so it would be worth it to spite them on principle.
Journalists reporting on this and other recent cases seem to think that the PCI-DSS is a set of strict Regulations, all of which must be met to gain PCI compliance,
This is not actually the case, PCI-DSS is a collection of recommendations for best practice, but they are not "laws", and in fact so long as a valid reason can be given and noted in the risk register, most of these recommendations can be set aside.
The classic case is in the matter of SSL cypher suites. If you follow PCI-DSS to the letter, and turn off all the cypher suites that are considered insecure, then a large percentage of the internet would be unable to browse your website, only those with the newest browsers and operating systems which support the newest cypher suites would be able to make a secure connection.
Curiously, one PCI audit we had, the QA wanted to fail the us because the firewall rules allowed https connections to the load balancer from any IP - this is a public facing website!!
None of this excuses how TalkTalk have handled this, though, just thought it worth setting the record straight.
Letting users transmit sensitive data using outdated software riddled with security issues, just because you love to take their money in whatever unsafe way they have at their disposal, does not seem very ethical.
And actually, major banks and payment systems have decided to disable obsolete protocols. Because it impacts only systems carrying payment information (you're free to use unsafe encryption for other things, PCI won't give a damn, just not to carry credit card numbers).
It's been done around here, and just so you know, logs showed it was actually a small percentage of users that would be impacted, less than 5% of those doing payments over the internet. Still not small enough, but too bad for them. If they'd lose their money, they'd be even more upset than not being able to order pizza using the pirated and unpatched WinXP they installed on their granddaddy's PC.
Journalists reporting on this and other recent cases seem to think that the PCI-DSS is a set of strict Regulations, all of which must be met to gain PCI compliance
PCI Regulations are a vague, loosely worded load of B/S designed to pass the buck on any card fraud from the card companies to the merchant.
"Curiously, one PCI audit we had, the QA wanted to fail the us because the firewall rules allowed https connections to the load balancer from any IP - this is a public facing website!!"
There is a simple way around this. Simply create objects for your internal IP ranges, then create another object that represents everything *except* your internal IP range object.
This does not flag as an 'any' rule, and you should really have an object set up like this anyway for all the rfc-1918 objects and have them denied right at the top of your rulebase.
As technology is constantly changing, it is right that the law should not require a specific technical process. After all, just requiring encryption wouldn't be much use, that could mean ROT13. If the measures they took didn't work, but measures taken by other companies in the same industry would have worked, it would be easy to argue that what they did wasn't appropriate.
Quite right - to quote a previous Reg article:
They also say they are ISO 27001 compliant which requires encryption for data at rest. Or are they allowed to skip that bit for products they advertise to home users? Perhaps Dido could clarify the situation and tell us if they're actually not compliant with ISO 27001 or they just don't care about the little people (and possibly weakening security for business/government customers by intentionally not protecting consumer data held on the same server/cluster)?
http://www.talktalkbusiness.co.uk/news-events/news-ttb-listing/video-news/security-recognition-for-cast1/
http://www.talktalkbusiness.co.uk/partners/products-and-services/hosted/hosted-data-centre/
"On Sunday morning, embattled TalkTalk boss Dido Harding crassly stated that her company was under no legal obligation to encrypt customers' sensitive data."
.........as in when you've ended up in one it is wise to stop digging. Icon? My reaction when I read what she had said.
Within the current legal legal framework, TalkTalk were a bit silly to not encrypt. Then again this is a company that can't even protect against the most basic of SQL injections.
In the future David Cameron will be rendering such encryption illegal. So we will see more of these breaches as all data is in the clear because "terrorism".
They are obliged to take steps to keep data safe and the specific mechanism to be used isn't specified. So the absence of encryption is not in itself a breach of the rules.
That they didn't keep the data safe is obvious and they need to be hammered for that specifically. Getting hung up on one specific aspect (encryption) just gives them an easy get-out in the arguments.
I'm a TalkTalk victim and I now have a dilemma. I have no beef with the quality of their broadband service (it is reliable), so have had no need to test the quality of their customer service. If I were to dump TalkTalk in favour of another provider, wouldn't it just be a leap into the unknown?
Worst case - TalkTalk are in the headlines but the other ISPs' breaches have yet to be discovered/publicised?
There were three breaches in the past year. They don't encrypt. It appears the web front-end has complete access to the database. It's obvious they don't know what they're doing. Tools like this fished out customer data.
But stay if you want to...
But stay if you want to...
Yeah I know ...
My concern is that I have no way of knowing how good any other provider's security is (the absence of publicity doesn't mean absence of problems), so I am wary of jumping elsewhere and potentially ending up in the same or a worse boat.
It is a general problem these days - amateurism prevails when it comes to security and web-facing services. The only defence, it seems, is not to join up to anything.
Yep. It needs researching, though, so I'm not going to jump just to express my displeasure with TalkTalk.
Funny thing is, though, I'd be going right back to where I began : I signed up with Nildram for just the reasons you gave, and look where I am now umpteen buy-outs later.
Any recommendations?
Try this...
It's got a top 10/50 and a 2015 summary, but skip the first page of the summary as concerns the best cheapest ISPs so you only get the usual suspects.
You are using Windows? Still?
I though that windows was only used by magazines like this to give them something to talk about.
As well as being unlimited versions of Linux there are three main formats not counting the other one. And you can use all of them interoperationally.
As well as being unlimited versions of Linux there are three main formats
... hence the need to be thoughtful about what is going to be a major change.
I'm winding down my use of Windows-specific stuff and moving to software that I know is available on Linux. At the same time I'm beginning to do certain things only on Linux (Mint). I'm in no hurry - provided that I'm successful in keeping MS from corrupting my OS with back-fed Windows 10 'improvements', I have a few years yet (barring any further malice from Microsoft).
">Worst case - TalkTalk are in the headlines but the other ISPs' breaches have yet to be discovered/publicised?"
That's one worst case. The other is TalkTalk are crap at securing a website while all the other ISPs are reasonably competent. If this was the first major hack of an ISP, I'd agree the others might, in time, prove equally vulnerable. But there seems to have been a run of attacks on TalkTalk spanning back months during which time there have been no reported attacks on any other ISP. Maybe the other ISPs are better at news management, but I think we're reaching the point where you accept the TalkTalk coin is coming up heads more than chance should allow.
Yes, I suppose hits on Talktalk going back to last year vs nothing obvious on the rest does tend to suggest that a systemic problem (or endemic 'who gives a shit' attitude) exists at TalkTalk. Ah well, time to do some research...
I never signed up with TalkTalk, and never would have. They did buy someone however, who earlier bought Pipex that I signed up with.
On the plus side, they are now likely to make things a lot more secure. If only they could sort out their Fisher Price account log on spam crap...
If you're head of a big company with lots of customers' personal data, you don't encrypt it for their benefit - you encrypt it for your own.
If a hacker steals a bunch of encrypted data and can't decrypt it, Bingo! no breach of the data protection act.
Since they didn't bother, there's a bunch of DPA fines coming their way.
there is no need to encrypt credit card data because it should be on a server with no public-facing network connection. You only need it to collect your fees don't you?
(Please tell me it's not stored so that it is available to shopping websites that your customers may use!).
The BBC Parliament channel regularly shows the activities of the various committees. The MPs that sit on these can get quite aggressive when questioning those brought before them; and extremely scathing of people in authority that either demonstrate a lack of knowledge of their own business or try to BS an answer.
I think that we can guarantee that Ms Harding and her staff will be called upon at some stage to discuss this debacle; and I'm sure that it will be highly entertaining for most people. It might not fix the problem, but I'd bet that it will be highly satisfying to watch them get a roasting.
The BBC Parliament channel regularly shows the activities of the various committees. The MPs that sit on these can get quite aggressive when questioning those brought before them
And vastly hypocritical they can be too. I forget which tax dodging MP it was quizzing the tech giants while hiding inheritted wealth behind offshore family trusts.
The part that I don't understand about these comittees, is that they expect those "summoned" to appear, and to answer their questions. And yet they can do nothing. If the CEO of whatever firm just decides not to appear, nothing happens. If the CEO appears and aggressively questions the comittee, there's really not vast amounts they will do about it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
