Here's how TalkTalk ducked and dived over THAT gigantic hack It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised. TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million …
I had TalkTalk customer support call me up at the weekend, they had all my details. Allegedly my broadband account had been suspended and I needed to enter some details on their website to get it un-blocked.
Very authentic, they hardly spoke any English, just like the real TalTalk support :-(
It's odd that the government hasn't made a bigger thing about the TalkTalk hack - after all, it is one of the largest leaks of personal information in the UK that hasn't been managed by the government, and they're always telling us about the threat of all things cyber.
Could it be that they don't want to draw attention to the incompetent Dido Harding being a colleague of Cameron's at Oxford PPE, a Tory peer and married to John Penrose MP Lord Commissioner of Her Majesty's Treasury, and assistant government whip?
Because she is yet another example of the self declared "talent" whose chief function is to trouser wadloads of cash while keeping an eye out for the next revolving door opportunity.
I've always believed strongly in the concept of taking responsibility for things that happen "on my watch". She obviously doesn't.
Why Is Dido Harding Still in a Job?
She's not going to willingly walk away from a job where she got paid £7m last year just to inadequately oversee a collection of outsourced and offshored peasants, is she? And if she won't go willingly, who's going to sack her, the makeweights and free lunchers of the non-executive directors of TalkTalk? I think not.
The question is, why are you still paying your share of Ms Harding's vastly inflated remuneration? Terminate your contract with them, citing the Supply of Goods and Services Act 1982, and their failure to deliver the service with reasonable care and skill, offering as prima facie evidence the details of the call you had, and the fact that IT data breaches have been going on since at least 2007 but are readily avoided by the application of reasonable care and skill.
I can't see you having much joy with TalkTalk's infamously useless call centres, so probably better to do it as letter to Ms Harding herself at the registered office. She'll never see it, but a flunky will point it in the right direction. They can't dispute your claim using their T&C because statute law trumps the terms of any contract, and then their only grounds for dispute is to claim that a breach of over 1.1m customer records does count as reasonable care and skill, which won't stand up in the small claims court if that's where this goes. Here's a starter for ten:
https://www.citizensadvice.org.uk/consumer/template-letters/letters/problems-with-services/letter-to-end-contract-due-to-poor-work-and-lost-faith/
Or rather than letter, offer them notice of termination for the above reasons on one of their social media forums. That way it's all in public view, and the press will be reading it.
Once you get told that your account is not longer working, by some illiterate non English speaking oik (that just happens to have all the data on you that Talk Talk requires to verify you) then you could assume, quite rightly that it IS an official contact from the supplier and all you have to do is tell them:
"OK, see to it the account remains suspended; I am going to get a decent ISP, please send the official communique in writing," and then tell them where to go.
Hint when speaking to people of that nature: Shout V loudly.
I think you'll find you mean "Why is Dido Harding, <Cough> Baroness Harding of Winscombe <Cough>, still in a job?"
<Cough> Studied PPE at Oxford with David Cameron.
<Cough> Married to Conservative government Minister John Penrose.
Now you might very well think that the above facts could have a strong influence upon whether or not she keeps her job, despite her incompetence. But of course I couldn't possibly comment...
Extremely appropriate, since David Cameron is a PR man (which is why he fronts the Conservative Party) and TalkTalk sounds more like a PR company than anything to do with modern communications.
Politics, philosophy and economics sounds to me like the only subject at Oxford where you need just 33% to get a First, so long as it's the politics bit.
Like so many of her ilk, she's still in a job because her name is still on the Christmas card list of the Address Book clique that runs so much of this country. As her Christmas card sharing friend David Cameron once said to his Christmas card sharing friend Rebekkah Brooks: LOL.
As in: Linger On, Lying.
I had a suspicious call here late last week too; dreadful line quality, so couldn't make out what they were saying, in a blatant foreign accent, so warned them off and hung up, because it couldn't be a professional caller...
Social Engineer me, ha not happening; I've security aware and have ample security training at work!
I'll query dubious account security checks by any kind of service providers who I call or call me, because I don't want the information to be misused or faulty security to allow miscreants access to my accounts. I have ID protection anyway, because it is only a matter of time before a service provider cocks up.
I think you'll find that *Baroness* Dido Harding, if you please, is a member of the Government's Business Advisory Group, so no doubt we can look forward to a great many more of these scandals in the future.
https://www.gov.uk/government/news/business-advisory-group
Her husband John Penrose MP is Lord Commissioner (HM Treasury) (Whip) and also Parliamentary Secretary to the Cabinet Office.
So I don't think she's going to be coming in for any criticism from anyone who matters - a group that excludes any TalkTalk customers.
Talktalk have never been a real ISP in any way. They are basically a shell, with everything outsourced and offshored. They have negligible support or customer service infrastructure. This has been the case since the very beginning. If you use them for anything, this is who you are giving your money to.
"No banking details have been taken that you wouldn't already be sharing when you write a cheque or give to someone so they can pay money into your account."
A few years ago, we rather foolishly left our account details on our website for people to pay us, and we had a dozen or so direct debits set up through our account. Scammers can use these details to order services, sell them to their marks, and then run off with the cash, whilst the mark realises a few days later that the service was never paid for.
No checks are done when setting up direct debits.
Indeed. Wasn't it Jeremy Clarkson who famously published his bank details in a newspaper, claiming there was no possible security issue with letting everyone know them, and promptly had a reasonably large donation to charity taken from his account? I might be happy handing over the occasional cheque or giving my account details to a friend or customer, but that's a rather smaller pool with a much lower likelihood of fraud than "everyone on the internet". Someone like Clarkson might not be expected to know any better (although presumably he does now), but you'd rather hope that a company with a legal responsibility to protect data properly would take things a little more seriously.
@J3D1 Maybe not. Direct Debits allow companies to be reliably paid on time. The alternative is sending bills and waiting for customers to pay up, chasing with follow up demands etc which is less efficient and so more costly.
If there's the occasional fraudulent DD set up that companies/banks/whoever have to refund it may well be cheaper than having a more secure DD system that fewer people use.
Someone will be crunching the numbers, and I expect the current DD system will still be the cheapest.
log in to your bank and approve any direct debit
Yeah, best of luck with that. My mother-in-law doesn't even own a computer, much less know which end of a mouse is which and while she's become quite adept at text messaging in the three or four years she's had a mobile phone, my dad can only just about remember how to operate the digital TV box and leaves "all that stuff" to my mum who at least knows where the power button is on her Mac (no mean feat!).
My own simple solution to a lot of the problems - if you never sign up for online banking or telephone banking then you know that if you get an email or a phonecall ostensibly from your bank it must be a scam.
But that does rather rely on having a branch nearby that I can go to when things need sorting. It works for me, but I know that there have been a lot of branch closures over the last 20 or so years and so it won't work for everyone.
Oh, and when I had my card details nicked a while back it was (almost certainly) in a branch of a well-known retailer (i.e. not online) and although my bank cancelled the card immediately we spotted the problem, neither we nor they spotted for a further few months that a Continuous Card Payment had also been set up for a £7/month subscription and - guess what - even though the old card was cancelled and I was issued with a new one, the CCP was automatically rolled-over to the new card. You'd have thought that a subscription would have an address attached, but I doubt anyone would bother to check...
M.
And whilst all this is going on, our friends at Sky and the Beeb mouth the press releases to camera without questioning any of the inconsistencies. For an entire day, the Beeb was putting out the Dodi-DDOS line with 'experts' like Rory Cellan Jones 'explaining' what it means to we, the little people. This is the new 'digital' media as they keep telling us as if they know squat.
Again (and again and again), big business sailing too close to the wind with razor-thin operations with no talent making a farce of service with our personal and financial information. And not giving a sh...
cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent
It was SQL injection, a 10-year-old attack vector, FFS! Any system that isn't written and supported by buffoons should repel it as easily as Dildo shrugging off blame.
It's as if a car manufacturer sold a new car that can go at 100 mph, which turns out to use the brake technology from a 1908 Model T. They would be liable for the subsequent deaths and injuries.
"It's as if a car manufacturer sold a new car that can go at 100 mph, which turns out to use the brake technology from a 1908 Model T. They would be liable for the subsequent deaths and injuries."
"It's as if a broadband supplier sold a package that can go at 50Mb/s and throttled it to 10KB/s. They would be liable for errrrrr mumble mumble mumble."
As you were.
This post has been deleted by its author
There is no excuse for building dynamic SQL directly as bare strings at all, that includes template APIs which don't know about SQL escaping. Developers should use either a mature SQL builder API or a mature persistence API which automatically append SQL escaped values or uses parametrised SQL. All code should be routinely security audited and upgraded, that also includes early rejection of bad parameter values which could cause denial of service, database data-type specific exploits or value reflection exploits.
All software architects, designers and developers should be security aware, because vulnerabilities can be quite subtle and much harder to fix later; this gets even more complex on distributed systems like cloud systems.
And the gamble's paid off.
Only so far. According to one of the Reg hosted whitepapers on data breaches, the average cost of a data breach (investigation, resolution, restitution, trust winback campaigns, lost business) is over £100 per record. If that plays out true to form for TalkTalk, then this is a £100m+ hit. I have a suspicion that because of the high churn rate in telecoms reselling, and the vast publicity this has had that the costs to TalkTalk could easily be a lot higher. They've just had to pull all their marketing campaigns, and those are probably contractually committed costs, so they won't be seeing their money back, and that will affect customer acquisition rates. The sales teams are (hopefully!) sitting on their arses waiting for a phone to ring (and hopefully, again) when it does ring, its a wrong number or a scammer asking if they've been missold PPI.
I was subject to data breach by the incompetent fuckers at a Dixons Carphone subsidiary a few months back. Funny isn't it that the chairman of both Dickhead Carphone plc and of TalkTalk plc is Charles Dunstone? Could it be that he fosters a "think of the money" culture that puts short term profits ahead of customers every time?
I'd like to nominate Dunstone for a board position with Thomas Cook - they appear to have the same values.
@Ledswinger
"I have a suspicion that because of the high churn rate in telecoms reselling, give
it 6 - 12 months for people to forget and people will sign up" <- fixed it for you
ElReg commentards will remember but there's a lot of people that don't follow this and will just go for a cheap deal at any given time.
All of the card protection and data protection stuff is a complete waste of time. Good luck convincing the board to fork out on doing anything properly ever again in the security world.
Also all the talk about credit cards, I'm pretty sure that with all the personal data that's gone missing people can steal your identity.
PCI and the Data Protection people should have mandatory fines and even loss of merchant status, so that there is no choice; PCI should forbid personal detail leaks too because the card issuers rely on personal details for customer anti-fraud enquiry authentication. Yes, ID theft is possible, as is Social Engineering, especially when joined up with other data sources.
Point of Sale (shop till) software seems to be migrating to using security hardened, external services and devices to handle credit cards and user information for robust security, less need for PCI-* certification, and for flexibility; there is no reason that web software can't do the same. If any user data could be captured, it should be orders of magnitude smaller quantity of transactions.
The effects of this could reach further than you'd think.
In York a company called City Fibre are currently installing the first widespread FTTH infrastructure ( 1GB, both directions) in the UK, primarily to evaluate the commercial viability of such schemes. Now, can you guess which ISP they've signed up with to sell this to the homeowners, many of who will already have access to Virgin FTTC cable ?
Wouldn't that make City Fibre a TalkTalk wholesale reseller? In that case, the consumers would have contracts with them rather than TalkTalk, so TalkTalk won't have most of the information. I'm also assuming that CF have rather better than the TT level of data security…
(Also, doesn't stealing data imply removal of said data from its original location? If the data remains there, it's not stolen, merely illegally duplicated…)
"Wouldn't that make City Fibre a TalkTalk wholesale reseller?"
Yup. And there are a lot of smaller ISPs who are in the same boat. Mine is one of them.
My DSL box has been hit so hard with external attacks over the last few weeks that it's been periodically rebooting when it runs out of ram to keep the logs in.
Isn't it about time TalkTalk just held their hands up and accepted they were stupid, apologise properly and give a detailed explanation of what went wrong.
Ladies & Gentlemen, I offer you incontrovertible proof that aliens both exist, and live amongst us here on planet Earth. The look like us, they sound like us, but they are still struggling to understand how and why things work as they do.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
