back to article TalkTalk plays 'no legal obligation' card on encryption – fails to think of the children (read: its customers)

On Sunday morning, embattled TalkTalk boss Dido Harding crassly stated that her company was under no legal obligation to encrypt customers' sensitive data. Her brutal – and, some might say, foolish – comment came a day after the budget telco confirmed that some of its subscribers' credit card details had been stolen in a raid …

  1. Inventor of the Marmite Laser Silver badge

    As I observed elsewhere in this illustrious mag

    What happened to Duty of Care?

    Talk Talk is (supposed to be) a professional company operating in the IT arena and, as such, should have been perfectly well aware of the risks when they specifically decided not to encrypt data..

    They DID think about it, didn't they?

    1. Anonymous Coward
      Anonymous Coward

      Re: As I observed elsewhere in this illustrious mag

      "They DID think about it, didn't they?"

      I'm sure the £350 cost of doing it was a major deciding factor against.

    2. Andy Non Silver badge

      Re: As I observed elsewhere in this illustrious mag

      Someone nailed this in another thread:

      "I am not legally required to close and lock my door; but if I'm burgled, then I'm at least partly responsible."

      Nuf said.

      1. JohnMurray

        Re: As I observed elsewhere in this illustrious mag

        Door open = theft not burglary !!

      2. Trevor_Pott Gold badge

        Re: As I observed elsewhere in this illustrious mag

        "I am not legally required to close and lock my door; but if I'm burgled, then I'm at least partly responsible."

        No you're not. Not legally, nor morally.

        The law prohibits you from entering my premises without my permission. The door being unlocked, or even open does not give you any rights whatsoever to enter. That is the law.

        The law prohibits you from removing objects from my premises without my permission. The door being unlocked, or even open does not give you any rights whatsoever to enter. That is the law.

        In Canada it is perfectly normal to leave doors unlocked, and many of us (Toronto doesn't count, ever,) do this all the time.

        The same moral and legal concept applies to pretty much everything. A woman is not "asking for it" by wearing revealing clothing...or even no clothing at all. You have no right to touch or fondle her, let alone rape her. Nothing she wears (or does not wear) makes any part of your actions her fault.

        These are not difficult concepts to understand. The burden of legal responsibility is on the individual who chooses to break the law. You do not "entice" someone into breaking the law by not employing devices or techniques designed to thwart would-be lawbreakers.

        You simply can't run a society where people are legally responsible for the choice of others to break the law by not participating in an ever more expensive and unwinnable arms race.

        It's called blaming the victim. Look it up.

        Now, that said, Talk Talk should have goddamned well encrypted everything. Not due to legal obligation, but because it is a minimum best practice for the data they handle and as such a mark of professionalism.

        Now, if we - as a society - believe that the arms race has gotten to the point that we must mandate minimum security measures, then by all means do so. An open public debate leads to laws and those become the laws we all must abide by. It becomes a universal cost of doing business.

        But don't blame the victim. You are not in any way responsible for someone breaking into your house. That's on them. They made the choice.

        If, however, you are guarding other people's things in your house, your duty of care to those other people may mean that you take precautions against the cold hard realities that there exist people who will break the law.

        Are you capable of understanding the differences?

        1. Arion

          Re: As I observed elsewhere in this illustrious mag

          > "I am not legally required to close and lock my door; but if I'm burgled, then

          > I'm at least partly responsible."

          >

          > No you're not. Not legally, nor morally.

          Your analogy of blaming the victim doesn't apply here; in this case the victim is the customers who trusted talktalk with their payment details, and regardless of specific law about encryption, talktalk had a duty of care to these customers which it neglected.

          Falling back on the absence of a specific law requiring encryption is both pathetic and contrary to the concept of common law ( or as the merkins would call it, case law ). I suspect that if this ended up in court in the UK, or the US, that there would very soon be a law requiring such data to be encrypted. The law is whatever the judge says it is, and this kind of bullshit is why.

    3. Anonymous Coward
      Anonymous Coward

      there are two types of companies in 2015

      A) Those companies, like TalkTalk & Sony who know they have been hacked, sacked & dumped

      and

      B) the rest of the companies who don't know (yet) that they have been hacked, the pillaging is still ongoing!

      implement: encryption, multifactor authentication, air-gaps etc - don't they understand the internet?

    4. Anonymous Coward
      Anonymous Coward

      Re: As I observed elsewhere in this illustrious mag

      Not so much Dido Harding but Dodo Harding, a species soon to be extinct.

      1. Lallabalalla
        Unhappy

        Re: As I observed elsewhere in this illustrious mag

        I think you'll find that *Baroness* Dido Harding, if you please, is a member of the Government's Business Advisory Group, and her husband John Penrose MP is Lord Commissioner (HM Treasury) (Whip) and also Parliamentary Secretary to the Cabinet Office.

        She's not going anywhere.

    5. Anonymous Coward
      Anonymous Coward

      Re: As I observed elsewhere in this illustrious mag

      Talktalk are currently emailing customers stating "We constantly review and update our systems to make sure they are as secure as possible..."

      Dido said "It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper. "We have complied with all of our legal obligations in terms of storing of financial information."

      How can they get away with lying TODAY to their customers, after all that has happened?

      1. I. Aproveofitspendingonspecificprojects

        Re: As I observed elsewhere in this illustrious mag

        > We constantly review and update

        > It wasn't encrypted, nor legally required to encrypt

        = False advertising and failure of contract

        = a get out clause. Close the account immediately and let the bastards sue you. You won't go to prison but even so it would be worth it to spite them on principle.

      2. JohnMurray

        Re: As I observed elsewhere in this illustrious mag

        Obviously you have never been a talkcrap customer.....

        Why change the business model because somebody else stole their customers details..

  2. Elmer Phud

    Cat escapes from bag

    Latest press release from Talk Talk:

    "Customer servce? customer service? --no got me there. By the way don't try escaping - we'll charge you for it (it's the only way we will retain customers)"

  3. Alister

    Journalists reporting on this and other recent cases seem to think that the PCI-DSS is a set of strict Regulations, all of which must be met to gain PCI compliance,

    This is not actually the case, PCI-DSS is a collection of recommendations for best practice, but they are not "laws", and in fact so long as a valid reason can be given and noted in the risk register, most of these recommendations can be set aside.

    The classic case is in the matter of SSL cypher suites. If you follow PCI-DSS to the letter, and turn off all the cypher suites that are considered insecure, then a large percentage of the internet would be unable to browse your website, only those with the newest browsers and operating systems which support the newest cypher suites would be able to make a secure connection.

    Curiously, one PCI audit we had, the QA wanted to fail the us because the firewall rules allowed https connections to the load balancer from any IP - this is a public facing website!!

    None of this excuses how TalkTalk have handled this, though, just thought it worth setting the record straight.

    1. Anonymous Coward
      Anonymous Coward

      Letting users transmit sensitive data using outdated software riddled with security issues, just because you love to take their money in whatever unsafe way they have at their disposal, does not seem very ethical.

      And actually, major banks and payment systems have decided to disable obsolete protocols. Because it impacts only systems carrying payment information (you're free to use unsafe encryption for other things, PCI won't give a damn, just not to carry credit card numbers).

      It's been done around here, and just so you know, logs showed it was actually a small percentage of users that would be impacted, less than 5% of those doing payments over the internet. Still not small enough, but too bad for them. If they'd lose their money, they'd be even more upset than not being able to order pizza using the pirated and unpatched WinXP they installed on their granddaddy's PC.

    2. A Non e-mouse Silver badge

      Journalists reporting on this and other recent cases seem to think that the PCI-DSS is a set of strict Regulations, all of which must be met to gain PCI compliance

      PCI Regulations are a vague, loosely worded load of B/S designed to pass the buck on any card fraud from the card companies to the merchant.

      1. Anonymous Coward
        Anonymous Coward

        According to my card handling service my site is not pcidss compliant. According to my hosts i should get a dedicated server to do this. The amount of the fine for non compliance is a fraction the cost of a dedicated server. No brainer really.

        1. dcluley

          The answer to the fine problem is to make it a small fine per day of non-compliance. The cumulative effect then makes it economic to install the solution whilst not overly penalising a company that puts it right as soon as it discovers the problem.

          1. Domquark

            At least in the UK, I have come across 2 PCI companies which charge customers for each day that they are not compliant.

    3. Adam JC

      Interesting

      Hands up, those of you who got fed up with the stupid automated PCI DSS flagging up port 80/443 being open to the internet as a FAIL, who then turned on the firewall into foxtrot-oscar mode (Albeit momentarily!) to block everything...?

      >:-)

      1. Sir Runcible Spoon

        Re: Interesting

        "Curiously, one PCI audit we had, the QA wanted to fail the us because the firewall rules allowed https connections to the load balancer from any IP - this is a public facing website!!"

        There is a simple way around this. Simply create objects for your internal IP ranges, then create another object that represents everything *except* your internal IP range object.

        This does not flag as an 'any' rule, and you should really have an object set up like this anyway for all the rfc-1918 objects and have them denied right at the top of your rulebase.

  4. Tony W

    "Appropriate" has legal force

    As technology is constantly changing, it is right that the law should not require a specific technical process. After all, just requiring encryption wouldn't be much use, that could mean ROT13. If the measures they took didn't work, but measures taken by other companies in the same industry would have worked, it would be easy to argue that what they did wasn't appropriate.

    1. Bc1609
    2. Dan 55 Silver badge
      Flame

      Re: "Appropriate" has legal force

      They also say they are ISO 27001 compliant which requires encryption for data at rest. Or are they allowed to skip that bit for products they advertise to home users? Perhaps Dido could clarify the situation and tell us if they're actually not compliant with ISO 27001 or they just don't care about the little people (and possibly weakening security for business/government customers by intentionally not protecting consumer data held on the same server/cluster)?

      http://www.talktalkbusiness.co.uk/news-events/news-ttb-listing/video-news/security-recognition-for-cast1/

      http://www.talktalkbusiness.co.uk/partners/products-and-services/hosted/hosted-data-centre/

    3. firu toddo
      Coat

      Re: "Appropriate" has legal force

      Maybe Talk Talk did use Rot13 on their data, and did it twice just to be sure.

  5. Arctic fox
    WTF?

    Denis Healey was very fond of quoting the "Law of Holes" .............

    "On Sunday morning, embattled TalkTalk boss Dido Harding crassly stated that her company was under no legal obligation to encrypt customers' sensitive data."

    .........as in when you've ended up in one it is wise to stop digging. Icon? My reaction when I read what she had said.

  6. Tromos

    I also note that...

    ...there is no legal requirement for a tech company to be run by a person whose technical knowledge exceeds that of the average gibbon.

    1. Inventor of the Marmite Laser Silver badge

      Re: I also note that...

      That's a bit harsh on Gibbons, isn't it?

      1. Ken 16 Silver badge
        Headmaster

        Re: I also note that...

        He deserves it for Decline and Fall...

  7. Anonymous Coward
    Anonymous Coward

    It will only get worse

    Within the current legal legal framework, TalkTalk were a bit silly to not encrypt. Then again this is a company that can't even protect against the most basic of SQL injections.

    In the future David Cameron will be rendering such encryption illegal. So we will see more of these breaches as all data is in the clear because "terrorism".

  8. Anonymous Coward
    Anonymous Coward

    Technically correct, i suppose

    They are obliged to take steps to keep data safe and the specific mechanism to be used isn't specified. So the absence of encryption is not in itself a breach of the rules.

    That they didn't keep the data safe is obvious and they need to be hammered for that specifically. Getting hung up on one specific aspect (encryption) just gives them an easy get-out in the arguments.

    I'm a TalkTalk victim and I now have a dilemma. I have no beef with the quality of their broadband service (it is reliable), so have had no need to test the quality of their customer service. If I were to dump TalkTalk in favour of another provider, wouldn't it just be a leap into the unknown?

    Worst case - TalkTalk are in the headlines but the other ISPs' breaches have yet to be discovered/publicised?

    1. Dan 55 Silver badge

      Re: Technically correct, i suppose

      There were three breaches in the past year. They don't encrypt. It appears the web front-end has complete access to the database. It's obvious they don't know what they're doing. Tools like this fished out customer data.

      But stay if you want to...

      1. Anonymous Coward
        Anonymous Coward

        @Dan 55 - Re: Technically correct, i suppose

        But stay if you want to...

        Yeah I know ...

        My concern is that I have no way of knowing how good any other provider's security is (the absence of publicity doesn't mean absence of problems), so I am wary of jumping elsewhere and potentially ending up in the same or a worse boat.

        It is a general problem these days - amateurism prevails when it comes to security and web-facing services. The only defence, it seems, is not to join up to anything.

        1. Dan 55 Silver badge

          Re: @Dan 55 - Technically correct, i suppose

          Go to a smaller one that looks like its competent... Xilo... A&A... One that probably have a hard time surviving if this happened to them as opposed to the likes of TalkTalk which just bullshit and carry on regardless.

          1. Anonymous Coward
            Anonymous Coward

            @Dan 55 "Go to a smaller one that looks like its competent"

            Yep. It needs researching, though, so I'm not going to jump just to express my displeasure with TalkTalk.

            Funny thing is, though, I'd be going right back to where I began : I signed up with Nildram for just the reasons you gave, and look where I am now umpteen buy-outs later.

            Any recommendations?

            1. Anonymous Coward
              Anonymous Coward

              Re: @Dan 55 "Go to a smaller one that looks like its competent"

              Strange. Your ref to "Xilo... A&A" didn't register the first time I read it. I've heard of A&A but not Xilo.

              It's gonna take some research, I think. A bit like 'Which Linux distro should I go to when I junk Windows?'

              1. Dan 55 Silver badge

                Re: @Dan 55 "Go to a smaller one that looks like its competent"

                Try this...

                http://www.ispreview.co.uk/

                It's got a top 10/50 and a 2015 summary, but skip the first page of the summary as concerns the best cheapest ISPs so you only get the usual suspects.

                1. Anonymous Coward
                  Anonymous Coward

                  @Dan 55

                  Thanks for the link. I think I will need it after all.

              2. I. Aproveofitspendingonspecificprojects

                Re: @Dan 55 "Go to a smaller one that looks like its competent"

                You are using Windows? Still?

                I though that windows was only used by magazines like this to give them something to talk about.

                As well as being unlimited versions of Linux there are three main formats not counting the other one. And you can use all of them interoperationally.

                1. Anonymous Coward
                  Anonymous Coward

                  @ I. Aproveofitspendingonspecificprojects ...

                  As well as being unlimited versions of Linux there are three main formats

                  ... hence the need to be thoughtful about what is going to be a major change.

                  I'm winding down my use of Windows-specific stuff and moving to software that I know is available on Linux. At the same time I'm beginning to do certain things only on Linux (Mint). I'm in no hurry - provided that I'm successful in keeping MS from corrupting my OS with back-fed Windows 10 'improvements', I have a few years yet (barring any further malice from Microsoft).

    2. Brewster's Angle Grinder Silver badge

      Re: Technically correct, i suppose

      ">Worst case - TalkTalk are in the headlines but the other ISPs' breaches have yet to be discovered/publicised?"

      That's one worst case. The other is TalkTalk are crap at securing a website while all the other ISPs are reasonably competent. If this was the first major hack of an ISP, I'd agree the others might, in time, prove equally vulnerable. But there seems to have been a run of attacks on TalkTalk spanning back months during which time there have been no reported attacks on any other ISP. Maybe the other ISPs are better at news management, but I think we're reaching the point where you accept the TalkTalk coin is coming up heads more than chance should allow.

      1. Anonymous Coward
        Anonymous Coward

        @ Brewster's Angle Grinder - Re: Technically correct, i suppose

        Yes, I suppose hits on Talktalk going back to last year vs nothing obvious on the rest does tend to suggest that a systemic problem (or endemic 'who gives a shit' attitude) exists at TalkTalk. Ah well, time to do some research...

    3. anonymous boring coward Silver badge

      Re: Technically correct, i suppose

      I never signed up with TalkTalk, and never would have. They did buy someone however, who earlier bought Pipex that I signed up with.

      On the plus side, they are now likely to make things a lot more secure. If only they could sort out their Fisher Price account log on spam crap...

  9. kdh0009

    She's right....

    If you're head of a big company with lots of customers' personal data, you don't encrypt it for their benefit - you encrypt it for your own.

    If a hacker steals a bunch of encrypted data and can't decrypt it, Bingo! no breach of the data protection act.

    Since they didn't bother, there's a bunch of DPA fines coming their way.

    1. chris 17 Silver badge

      Re: She's right....

      The loss to their reputation will cost more than the fines. That's one of the main business drivers to implement proper security in the first place.

      1. JohnMurray

        Re: She's right....

        They had a reputation to lose?

        I must have missed that as it flew past me at just under lightspeed....

    2. Andy Davies

      Re: She's right....

      there is no need to encrypt credit card data because it should be on a server with no public-facing network connection. You only need it to collect your fees don't you?

      (Please tell me it's not stored so that it is available to shopping websites that your customers may use!).

  10. Tony S

    House of Commons Committee

    The BBC Parliament channel regularly shows the activities of the various committees. The MPs that sit on these can get quite aggressive when questioning those brought before them; and extremely scathing of people in authority that either demonstrate a lack of knowledge of their own business or try to BS an answer.

    I think that we can guarantee that Ms Harding and her staff will be called upon at some stage to discuss this debacle; and I'm sure that it will be highly entertaining for most people. It might not fix the problem, but I'd bet that it will be highly satisfying to watch them get a roasting.

    1. LucreLout

      Re: House of Commons Committee

      The BBC Parliament channel regularly shows the activities of the various committees. The MPs that sit on these can get quite aggressive when questioning those brought before them

      And vastly hypocritical they can be too. I forget which tax dodging MP it was quizzing the tech giants while hiding inheritted wealth behind offshore family trusts.

      The part that I don't understand about these comittees, is that they expect those "summoned" to appear, and to answer their questions. And yet they can do nothing. If the CEO of whatever firm just decides not to appear, nothing happens. If the CEO appears and aggressively questions the comittee, there's really not vast amounts they will do about it.

      1. Anonymous Coward
        Anonymous Coward

        Re: House of Commons Committee

        Margaret Hodges

    2. Lallabalalla

      Re: House of Commons Committee

      Maybe. But as previously noted:

      Baroness Dido Harding is a member of the Government's Business Advisory Group advising David Cameron and her husband John Penrose MP is Lord Commissioner (HM Treasury) (Whip) and also Parliamentary Secretary to the Cabinet Office.

      Besides which all she has to do is what everyone if the examples of Rebekah Brooks and Rupert Murdoch are anything to go by; just sit there and lie. "I was at lunch that day, I don't understand what bytes we have" should do it.

  11. Ian 62
    Alert

    Smut list?

    Oh! Oh! As you mentioned it....

    Could the Reg go and inquire of TalkTalk:

    Did the hackers get the list of users who ticked the box saying 'Enable Porn Please' ?

    Those in sensitive occupations, with children, MPs, Policemen, Teachers, Doctors, Nurses, etc need to know if they're about to be blackmailed.

    1. I. Aproveofitspendingonspecificprojects

      Re: Smut list?

      Since our glorious plod got hold of the child so quickly we can assume he was only looking out of curiosity not really trying to do an harm and is naive enough to have not only spoken freely about it but asked the people who were looking for him for tips.

      Either that or the Met has finally learned how to find its backside with both hands.

      I think we are going to get hold of the full skinny very soon indeed. When he makes a public apology and explains what he did.

      Or were you wondering about the Jimmy Saville connection?

  12. Your alien overlord - fear me

    Remember, if you encrypt your customers data, it's an extra step to decrypt it when selling private data without consent to adware slingers.

  13. Anonymous Coward
    Anonymous Coward

    There is no such thing as bad publicity. Give it a few months and someone looking to switch will think of TalkTalk as an ISP.

    1. RogerT

      Good deals to join Talk Talk coming

      I expect they will sort out the security of their servers and have some of the most secure systems around. Then they'll have some great deals to replenish their customers who've gone elsewhere. Perhaps this will actually be a good time to join Talk Talk?

      1. Anonymous Coward
        Anonymous Coward

        Re: Good deals to join Talk Talk coming

        Secure their servers, like they did after their first hack? Oops, nope. Their second? Oops, neither.

        They will probably keep a lot of customers, but at this point, hoping they'll change their ways when they just said they have no legal obligation to do so, that seems a little foolish, doesn't it?

      2. Lallabalalla

        Re: Good deals to join Talk Talk coming

        Nice try. But you're forgetting one thing. TalkTalk. Worst. ISP. Ever.

    2. Teiwaz
      Devil

      justifiable response

      > "There is no such thing as bad publicity. Give it a few months and someone looking to switch will think of TalkTalk as an ISP."

      Won't be me. Occasionally see T-T Sales people outside Shopping Centres. If they approach me, they generally get laughed at.

      If I see them in the next few months, it'll result in 'Donald Suttherland moment' from the end of Invasion of the Body Snatchers.

  14. Crisp

    What qualifies Dido Harding to run a major broadband provider?

    A degree in Philosophy, Politics and Economics and a peerage apparently. No wonder she doesn't have a clue about all this new fangled encryption and stuff.

    1. Luke Worm

      Re: What qualifies Dido Harding to run a major broadband provider?

      Naah, maybe rather Aesthetics, Cosmetics and Comparative Erotics.

      1. allthecoolshortnamesweretaken

        Re: What qualifies Dido Harding to run a major broadband provider?

        "...Comparative Erotics"

        Where and how can I enroll ???

        1. JohnMurray

          Re: What qualifies Dido Harding to run a major broadband provider?

          Which brings us back to her getting roasted by various MPs'.....

    2. Anonymous Coward
      Anonymous Coward

      Re: What qualifies Dido Harding to run a major broadband provider?

      The main qualification required to run any large company or financial organisation remains "knowing the right people".

      1. tiggity Silver badge

        Re: What qualifies Dido Harding to run a major broadband provider?

        And she does know the right people: Married to a Tory MP, one of the students who was in her PPE cohort was a certain David Cameron....

        1. Lallabalalla

          Re: What qualifies Dido Harding to run a major broadband provider?

          And adviser TO David Cameron as a member of the Government's Business Advisory Group.

          Also - Being a Baroness probably doesn't hurt, does it?

    3. Wiltshire

      Re: What qualifies Dido Harding to run a major broadband provider?

      it's got nothing to do with IT, it's all about Marketing - the triumph of style over substance.

      Meanwhile, I do wonder, is the "Harding Data" remark going to be this decade's equivalent of Ratner Jewellery? And the associated effect on the whole flimsy house of cards?

  15. Infernoz Bronze badge
    FAIL

    It's not about what's legal, it's about ethics, reputation and best practice.

    /All/ customer data held by any business should be encrypted by default, just-in-case lots of stuff!

    It doesn't matter a frack if it is a staging area, or for marketing, just encrypt it.

    This silly girl needs to shut up, get competent security and public relations advice, and read "Friend and Foe" by Adam Galinsky & Maurice Schweitzer to get some perspective so that she doesn't frack up!

  16. Captain TickTock
    Childcatcher

    Think of the Children...

    ... like little Bobby Tables...

    https://xkcd.com/327/

  17. Paul Shirley

    do payment processors have an obligation to deal with talktalk?

    How long would they last if the cc companies decided not to deal with them? In light of an abject failure to protect the cc companies customers I suspect they have no legal right to demand service.

    1. Proud Father

      Re: do payment processors have an obligation to deal with talktalk?

      As I stated in the original article, the major players like Visa/Mastered can revoke their status as a credit card acquirer.

      Not being able to process CCs will hurt.

      1. mark 120

        Re: do payment processors have an obligation to deal with talktalk?

        Sadly, they've never done it yet, because it hurts their own profits. If Target didnt get their Visa / Mastercard licence withdrawn, no-one will.

  18. muddysteve

    No Obligation

    There may be no obligation for TalkTalk to encrypt its customers' data. There is also no obligation for me to use TalkTalk. Ever.

  19. 0laf

    Oooh enjoy your interviews with the ICO. It might not be explicit but you've already demonstrated that your system was insufficient to protect personal data at rest without encryption.

    If credit card data was stored unencrypted the PCI council will have a different opinion since it is explicit with them and they can probably levy larger fines than the ICO can right now.

  20. cuddlyjumper
    FAIL

    On transparency

    Dido Harding goes on record stating two interesting things: firstly, that their security is apparently "head and shoulders" above competitors. Secondly, that TalkTalk will be transparent with customers. It would be useful to understand how she is in a position to articulate the former, and also useful to know how - exactly - TalkTalk will achieve the latter.

    Unfortunately, for all her appearances, it is fast becoming more useful to consider the things that Dido Harding ISN'T saying right now, rather than what she IS saying.

    Has El Reg nabbed any TalkTalk insiders who are able and willing to give a clearer technical understanding of how this latest one happened?

    1. Doctor Syntax Silver badge

      Re: On transparency

      'Dido Harding goes on record stating two interesting things: firstly, that their security is apparently "head and shoulders" above competitors.'

      Unless by "head and shoulders" she was referring to the shampoo this seems an ill-advised thing to say. How many other ISPs can she name who've been popped more times this year?

      The technical means of how data was protected is secondary. The main issue is that whatever measures they did take were inadequate.

  21. Anonymous Coward
    Anonymous Coward

    If they get away with this we may as well just give up.

  22. king_tut

    Class Action Lawsuits

    Maybe this will be the first case under the new class action lawsuit rules? http://www.bbc.co.uk/news/uk-34402483

    1. Doctor Syntax Silver badge

      Re: Class Action Lawsuits

      I've read the link you posted. Could you explain how it applies in this case bearing in mind that the news item says it's about "firms that have fixed prices and formed cartels".?

      1. Bc1609

        Re: Class Action Lawsuits

        It doesn't - you're quite right that this the new "class action" (or "collective proceeding" as it's known on this side of the pond) only applies to breaches of competition law. The relevant bit of the Consumer Rights Act 2015 is Schedule 8.

        1. Doctor Syntax Silver badge

          Re: Class Action Lawsuits

          Death by 1000 cuts - or maybe 4,000,000 - in the small claims court might actually be more effective.

  23. Captain TickTock
    Paris Hilton

    Take 2 data breaches into the shower?

    Not me - I use Head and Shoulders.

    Paris, just because

  24. GPDawes

    What about PCI regulations

    I am sure this is covered by UK and EU PCI regulations.

    1. 0laf

      Re: What about PCI regulations

      Will depend if they actually held credit card data with the same system as the hack took place. the CDE might be a completely different network or might even be outsourced.

      On one hand it's good if the credit card data isn't there because then it hasn't been stolen.

      On the otehr hand a breach of PCI DSS will probably mean a PCI fine which is higher than the 500k max the ICO can levy right now. Plus PCI can force TT to take on auditors for PCI and make them re-accredit as a Tier 1 merchant.

  25. GPDawes

    Are TalkTalk auditted?

    Do TalkTalk claim to be ITIL/SAS16 compliant. Are they audited. Surely auditors should have picked up on this and they have not acted upon recommendations.

    Especially after the previous 2 hacks. did they not Batten down the hatches

    1. 0laf

      Re: Are TalkTalk auditted?

      I'm sure they updated their policies and for everything else that would cost real money the board accepted the risk or decided that a policy change was adequate mitigation. No doubt record keeping will also be poor resulting in no minutes of those meetings.

      I hope the infosec guys have kept records of their findings when the finger of blame is turned on them.

    2. Omgwtfbbqtime

      Re: Are TalkTalk auditted?

      From the 2015 annual report ( http://www.talktalkgroup.com/investors/reports/2015.aspx) :

      4. Data and cybersecurity

      Potential impact: Failure to prevent the loss or exploitation of personally identifiable or

      commercially sensitive information could result in loss of competitive advantage,

      regulatory fines, damage to the brand,and ultimately, churn.

      Mitigation: The Group continually reviews and seeks best practice external guidance on its data and cyber security capability and invests in and implements new solutions, both to prevent and detect incidents. TalkTalk continues to adopt the Ten Steps to Cyber Security as a control

      framework for mitigating key areas of risk. Progress is monitored via the in house Data Council, which convenes monthly and is chaired by the Chief Technology Officer (CTO). In FY15, key initiatives including the encryption of hardware and removable media , a data loss prevention solution, vulnerability scanning and penetration testing have been completed. A new Head of Security has also been appointed to establish and oversee the new Security Operations Centre, the activities of which have been outsourced to cyber security experts BAe systems.

      So either they lied in their annual report or the head of security/BAe needs a kick up the arse.

  26. macjules

    But they are helping (they say)

    "We’ve contacted the major banks and they are monitoring for any suspicious activity on our customers’ accounts."

    http://help2.talktalk.co.uk/oct22incident

    Could TalkTalk (now called ShhShh) please explain how the main UK banks are going to find the resources necessary to monitor several hundred thousand bank accounts for 'suspicious activity'?

  27. Anonymous Coward
    Anonymous Coward

    Interestingly on ISP Virgin Media billing system

    Security passwords are displayed to the telephone agents in plain text irrespective of which country the agents are in.

    Having spoken to a manager about this it was clear to me that she was not interested, not listening and not going to raise this up to those that were.

    Until those making UK company decisions are held responsible and get some time in prison then sharing your secrets with 419 email spammers is more secure, the later at least only target the greedy.

  28. Jonski
    Trollface

    To be fair...

    ...double ROT13 is a form of encryption, innit?

  29. xybyrgy

    Boy, 15, arrested in Northern Ireland in connection with TalkTalk hack

    http://www.bbc.com/news/uk-34643783

    "Shares in the telecoms company fell more than 12% in Monday trading, extending its losses from last week, when news of the attack first emerged."

  30. DrBobMatthews

    I do hope that this silly ex marketing women tries to defend this useless company in court.

    May be not a criminal offence, but in Civil and Common law she and the company have a problem.

    A company and its officers and servants have a duty of care to protect the property and information relating to their customer from theft, misuse and any loss, damage or otherwise if the comapn, its officers and servants fail to use all reasonable methods to prevent loss, damage or abuse.

    Reasonable methods within the industry would be the de facto standard encryption.

    Please some one sue this arrogant women and Talk, Talk using Civil Law.

  31. DrBobMatthews

    To sum up this not fit for purpose CEO then, she is suffering from what a lot of CEO's suffer from , naked arrogance and delusions of adequacy. I bet her shareholders are delighted with the share price going south on a daily basis.

  32. hogarthr

    TalkTalk are in a shambles in all their IT processes

    My experience of Talk Talk over the last few months is that they are in a complete shambles as far as their IT processes and the human processes that surround them. I left them because of the appalling customer service I received from them and because they increased prices twice this year so far. I received numerous wrong responses to my leaving including 1. the told me, 'you appear to be moving home' but we do not have your new home details and 2. Wrongly sending me system generated email and invoice for breach of contract which took ages to sort out. Also while with them, trying to sort out a fault, I got numerous system-generated contradictory emails and texts. I am not at all surprised that there systems are open to hackers.

  33. anonymous boring coward Silver badge

    If the "sophisticated" hack was simply an SQL injection, then the 15 year old should get a medal for exposing a greedy giant's lack of investment in security. Provided he didn't sell, try to sell, or published the stolen data.

  34. Anonymous Coward
    Anonymous Coward

    Still non-compliant. Arguably ineffective will amount to inadequate. I'd be happy to go after them if the UK had implemented the Privacy Directive adequately or at all.

    However anyone inconvenienced can sue them under the new tort of misuse of private information.

  35. adam payne

    It might not be a legal requirement but it is certainly best practice.

  36. Anonymous Coward
    Anonymous Coward

    encryption might not solve this

    While encryption can be good, hacking is about impersonation.

    So trying to run an code under other people's credentials.

    Say you hacked your admin password, the hacker is then admin.

    He found a way in to get into it as some person.

    There usually is always someone controling all the stuff.

    get their passwords and then in a lot cases your "inside".

    Nevermind if the file system had encryption, he was an admin so you could easily uncrypt it.

  37. Templogin

    Good old Direct Debit

    Another reason why that supposedly safe method of payment, the Direct Debit is a bad idea. Pay by standing order in the UK and you only have to worry about your bank being hacked.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like