back to article TalkTalk subsidiary's customer data placed on the web in IIS whoopsie

Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care. The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the …

COMMENTS

This topic is closed for new posts.
  1. Hardcastle the ancient
    Thumb Down

    IIS

    nuff said.

    No, it isn't. What does the data protection office have to say about all this? Should you not have gone to them for a quote? I bet they would be interested in this sort of thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: IIS

      "What does the data protection office have to say about all this?"

      Nothing. They are too busy chasing us for dropping cookies onto users machines.

      Meh.

      1. cs94njw

        Re: IIS

        Not.

      2. AndrueC Silver badge
        Joke

        Re: IIS

        >They are too busy chasing us for dropping cookies onto users machines.

        It was you wot done it, were it? Ooooh. I'm so mad I could crush a grape.

        1. Crisp

          Re: IIS

          +1 for the Stu Francis and Crackerjack reference.

      3. Alfred 2
        Unhappy

        Re: IIS

        "No, it isn't. What does the data protection office have to say about all this? Should you not have gone to them for a quote? I bet they would be interested in this sort of thing."

        You're kidding right?

        The ICO couldn't give a ***** It's not apublic body, so in the view of the Idiot Control Office - no harm done, end of.

  2. Morg

    And Windows Server

    For how much longer will we see fake IT professionals recommending microsoft server technologies that are built with fail, by fail, to fail ...

    1. Anonymous Coward
      Anonymous Coward

      micros~1 is still profitable, innit?

      Even ostensible open source executive guy Matt here on el reg keeps on measuring market size in costs incurred, not useful work done (what places have Combined Heat and Computing plants heating the bulding?) which presumably will drive more of his ilk to do whatever everyone else is doing in their attempts to gain a competetive advantage. So, at a guess, quite a while yet.

      And hey, it's not fake. As dear Dominic just expounded: Getting paid by the hour means prolonging the problem. Getting paid more means being more professional. This must be true for the recruiter pro said so.

    2. Anonymous Coward
      Anonymous Coward

      Re: And Windows Server

      I'm sure you're proud of your little mantra there, but you've missed the point, I'm afraid. This is a configuration error, so in the lap of the dip setting it up. Undeniable that it's poor practice to be open to anonymous access by default, but it's the job of the guy setting it up to make sure the setting are right. Saying "Oooh, it's MS therefore destined to fail!" Is cliched, sad and just untrue.

      1. SYNTAX__ERROR
        Boffin

        Re: And Windows Server

        There's also the small point that usually one wants his web site to be accessible by the world.

      2. Morg

        Re: And Windows Server

        Right. Because it just works ...

    3. phlashbios
      FAIL

      Re: And Windows Server

      Boring, tedious, rhetoric once more.

      If the thing is configured incorrectly by the person installing it, that is hardly the fault of the software.

      It gets exceedingly stale, the constant bashing of anything MS on these forums. It is of course, fantastic that Linux is always perfect and is never misconfigured.

      1. The BigYin
        Facepalm

        Re: And Windows Server

        "If the thing is configured incorrectly by the person installing it, that is hardly the fault of the software."

        When the software's default position is "Rape me! Have at my datas you randy hounds!" then I'd say that's a problem.

        "It is of course, fantastic that Linux is always perfect and is never misconfigured."

        A few points:

        1) Linux is a kernel, not a web server;

        2) No one claimed it was perfect;

        3) No one even mentioned it.

        If you had cited Apache (or Tomcat or WebLogic or...) then you might have had a point. Too busy following the old rhetoric of "If they say anything anti MS, they must be a pro GNU/Linux, freedom-lving, fanboi. Engage maximum frothing!"

      2. Morg

        Re: And Windows Server

        That's because you don't understand the topic. It's not about misconfiguration, it's about total fail.

  3. banjomike
    WTF?

    He has a file of "hold music" ??

    He must be mentally ill, or at least have spectacularly bad taste.

  4. Spindreams

    How is the fact that IIS allows anonymous access by default a security issue. It is a web server after all and is meant to be used to publish stuff to the world wide web, if you don't want that data published then you remove the anonymous access user or put it behind a firewall etc.

    As someone who owns a hosting business and who administers IIS and Apache day in, day out I can vouch for IIS7 as being a very good web server. I actually think the story poster is talking about having directory browsing enabled and I know that by default that is not enabled in IIS so the server admin must have enabled it.

    If it is a fail it is for the person who configured the website not IIS itself.

    This sounds more like Linux fan-boys out to discredit something they know nothing about...

    1. drunk.smile

      Isn't that what the article says?

      Hell, it even goes as far as to give the contractor advice on how to secure the server against this (tick a box).

      Read the article again.

      1. Anonymous Coward
        Anonymous Coward

        @drunk.smile

        I'd have thought it was obvious he's referring to the fanboys, genius. (Nice that someone else can actually spell it correctly, too.) Read the comments and get a sense of context. Or the bit on the label about alcohol content ...

      2. Spindreams
        FAIL

        The article goes into much detail about how this is a problem specific to IIS, even the title "TALKTALK SUBSIDIARY'S CUSTOMER DATA PLACED ON THE WEB IN IIS WHOOPSIE".

        This is NOT a problem with IIS and could just have easily have been enabled on Apache or any other web server software. The article poster is also blaming the anonymous user access when the problem is actually having directory browsing being enabled, if you disable anonymous access then not even web pages can be viewed unless the person logs in to the server. Fail on both the cause and the remedy....

        1. Anonymous Coward
          Anonymous Coward

          "could just have easily have been enabled on Apache"

          No it couldn't. No GUI ;)

          1. Spindreams

            Re: "could just have easily have been enabled on Apache"

            Umm Cpanel, Plesk, ISPConfig, Hosting Controller, DirectAdmin, Kloxo to name just a few GUIs for apache

  5. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Really? Both are divisions of the same PLC, run by the same management, accountable to the same shareholders, no?

      1. This post has been deleted by its author

        1. Robert E A Harvey

          @AC 09:44

          I am a talk talk business customer. A residential one. Freedom2surf was merged with Opal & became TalkTalkBusiness

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC 09:44

            Why don't you change over to TalkTalk Residential and save yourself some money?

            1. Robert E A Harvey

              Re: @AC 09:44

              Static ip address, no cap, allegedly no shaping (though I have my doubts), uk call centres, inertia.

  6. Anonymous Coward
    Anonymous Coward

    So TalkTalk are basically saying they're not responsible for any data that's not held on their own network? Christ. Given their past phorm form with their StalkStalk product and their run-ins with the ICO, I would have thought they would have raised their game.

    1. Anonymous Coward
      Anonymous Coward

      @AC 09:31

      Teehee! StalkStalk! Really clever! Don't forget to show it to your primary school teacher.

      1. Chronos
        FAIL

        Re: @AC 09:31

        Try not to be an annoying, petty, pedantic little nutsack for the rest of your life, eh? Have a day off. Stalk Stalk is what people have been calling this company since 2008 and the Phorm fiasco.

        SWAG: It used to mean screwed without a GUI. Now it seems they're screwed even with one.

        MCSE: Must consult someone experienced.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC 09:31

          Talktalk weren't involved with Phorm. You're mixing it up with BT.

  7. Anonymous Coward
    Anonymous Coward

    Thanks Reg!

    My bad. I've fixed it now. Thanks for pointing it out!

  8. This post has been deleted by its author

  9. squilookle
    Megaphone

    Even if this is not their problem, for their rep to come out with "It's not one of our servers, so it's not our problem," is really bad, shows them in a bad, uncaring light and gives the opportunity for negative headlines, although it is quite refreshing to see a straight forward answer with no canned, cliched statements, weasel words or other bullshit that is so common from any big company these days. .

    Now if we could just get them to do that AND take responsibility for their actions, we would be going in the right direction.

    1. This post has been deleted by its author

      1. A Known Coward
        WTF?

        If you're going to accuse the articles author of inventing quotes then you need to provide evidence. Until then we'll just assume you're the one making things up, ok? You are after all posting as 'anonymous' which doesn't give your version of events any credibility at all.

        1. This post has been deleted by its author

          1. Zombie Womble

            You are accusing the author of lying, I think that requires some backup even if you don't.

            Otherwise you just look bitter.

            1. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    Suprising

    Because Talk Talk are well known for their excellent customer service.

    1. Zombie Womble

      Re: Suprising

      My sarcasm detector just exploded.

      1. Robert E A Harvey

        Re: Suprising

        my detector of exploding sarcasm detectors just exploded.

  11. Captain Scarlet Silver badge
    Facepalm

    slap head

    hmm

    "Our firewalls are all secure"

    A firewall is not a complete way of securing your network or data >_<

    1. Anonymous Coward
      Anonymous Coward

      Re: slap head

      They didn't say their data were secure because of firewalls, just that the firewalls /themselves/ are secure. Or maybe they mean they started the firewall with the "secure/insecure" setting set to "secure".

    2. h4rm0ny

      Re: slap head

      "A firewall is not a complete way of securing your network or data >_<"

      No, but if someone says that an external system is connecting into your internal network, that's a reasonable part of your response statement.

    3. Anonymous Coward
      Anonymous Coward

      Re: slap head

      And "Our firewalls are all secure" wasn't the answer the the question asked, either.

      Hell, there are a bunch of secure firewalls in North Carolina, too....they're still in the box.

  12. This post has been deleted by its author

  13. Camilla Smythe

    Eh?

    Since this piece was published TalkTalk has supplied the Register with this statement:

    "We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.

    We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities."

    I realise it is sometimes difficult to understand the 'help desk' but are you certain that the above is correct?

    Normal advice is to turn various things on and off.

This topic is closed for new posts.

Other stories you might like