TalkTalk incident management: A timeline Contradictory statements issued by TalkTalk regarding the third data breach the company has experienced this year have provided inadequate information to the telco's customers about their data, while effectively insulating the company from questions regarding its security practices with insubstantive, and at times incoherent, PR …
>I find it harder and harder to remember who's on my shit-list, it gets so crowded.
>I think I'm still friends with Waitrose, but who can tell for sure?!
I can help you with that, it will take just one moment to access your information from my system... Hm, that is strange? For verification purposes only, can I get your full name, mother's maiden name, etc. ?
;-)
A potentially more responsible provider." If you can find one! How would you know?"
History, my dear boy. Not a guarantee but a jolly good indicator.
I could name four ISPs (two in the value market and two in the premium market) who I would recommend to anybody. They have delivered consistent high quality connections. More importantly they have intelligent teams who have coped with incidents. Quality support is an expensive luxury until you need it. TalkTalk's expertise is (sorry WAS) talking you out of thinking you need it.
Out of the usual suspects, only Virgin said something for the security metric that suggested that they take some care over your personal data.
http://arstechnica.co.uk/business/2015/05/ars-technica-the-uk-safest-isp/
Or you can try a website like this one...
The UK has a dead dog in this fight. They [GCHQ] are worse than the US."
For Internet surfers in the UK, the most significant surveillance program revealed by the leaks is Tempora. According to documents leaked to The Guardian, Tempora is a GCHQ program that intercepts data on many of the Internet’s fibre-optic backbone connections, both in the UK and globally. The extent of Tempora is unknown, but Snowden’s leaks contained a claim from the UK that GCHQ scoops up even more metadata than the NSA.
None of the GCHQs laudible systems aims served to prevent anything most of us would like to have seen prevented since before the USA was taken over by the chimp
As a TalkTalk customer I should have been notified by secure means ie not a web announcement nor email, of 9 facets dealing with this incident as laid down in EU reg 611/2013., I'm still waiting
This Law says:
The notification to the subscriber or individual shall be made without undue delay after the detection of the personal data breach, as set out in the third subparagraph of Article 2(2).
It is if you take into account the Supply of Goods and Services Act and are willing to have it out with them. Service must be carried out with reasonable care and skill. Service must be of satisfactory quality and fit for purpose.
Their T&Cs are like an EULA, you've still got your consumer rights.
If they get away with this farce I'm just going to give up, there's going to be no point if Visa and Mastercard don't punish them to bother trying to get PCI implemented as every board member will go "well TalkTalk got away with a slap on the wrist why should we bother" and as to data protection I can imagine anyone wanting to have security enforced will be laughed out of the building.
They can't be allowed to get away with this.
He's right. They could have complety air gapped their systems and kept everything on paper in a secure vault with armed guards.
But they didn't. So they're still in trouble because their measures clearly weren't "adequate".
Not that they're any different to thousands of others (including healthcare providers and banks).
Not wishing to detract from beating up TalkTalk, but since people here might have an answer, I have a question...
Q. Why don't credit-card companies tell providers NOT to store card details ever, and instead, issue them a token on receipt of a valid card number? E.g.
Customer (unwisely) decides to sign up with TalkTalk. Enters their contact details and card number on the TT website and agree to (say) a sign up fee of £X and recurring debits of ~£Y based on call-usage etc.
For £X, since it's a one-off, TT don't need to store a card number. For ~£Y they do currently because they need to debit the customer (usually) once a month. So instead the card company supplies a token (like a disposable card number) but this one is constrained such that ONLY TT can use it... so even if it leaks, it's useless. And it could be further constrained by number of debits per month, or limited value ranges.
I've wondered this for years... basically whenever a leak ends up in the news. It's an obvious solution, so I'm guessing there's a good reason it's not implemented?
"We respect our customers privacy and encrypt all financial data. Leave TalkTalk and sign up with us and we will pay your termination fees."
That no one is making such statements makes you wonder just how secure they are.
I know plusnet store passwords either as plain text or using easily reversible encryption, their support people can tell you what your password is.
Account login used on the modem, ISP supplied email etc... not the supplied router admin password or WiFi passphrase.
Their justification for it is that it makes things easier when customers call support.
Those passwords aren't normally used for much so poor security on them isn't much of an issue directly. What is more worrying is the underlying attitude that it's ok to compromise security if it makes life easier.
Not to mention the obvious issue that people frequently re-use passwords
Given that PLusnet and BT are the same company, the fact that they use deficient procedures is hardly surprising.
The fact of any outfit keeps the password in plaintext is a good reason to avoid them, even if you never use their supplied email setup (you many not use it, but someone else might well decide to use it to impersonate you.)
@Kubla Cant
Interesting, when I've talked to them in the past they 'reset' the password to default for me, which is always the same, but as long as you change it (which should be mandatory but I think is not) they don't have access to it (well they don't seem to)
A company is allowed to lose your data to people who intend to use it to commit crime which may financially impact you and you have to pay to make any changes to the data (like change bank etc)? And this is legal?!
Has anyone checked to see if any of the senior management at TalkTalk bought shares in Noddle in the past few weeks? The value of that company will be rocketing at the minute and TalkTalk have effectively created a revenue stream.
I have mentioned it before, but perhaps statutory liability should be attached for holding personal information?
The obsession of knowing *everything* about you is never for *your* benefit. If the cheque clears, why do they care?
It may turn out that they can "provide a better service" by knowing every last thing about you.
One wonders if the only way some companies get so large is not by being good, but by being less worse than the competition?
Note the icon...nothing to see here!
P.
I never got why companies hold so much information on us...
I have a small business... The amount of information I keep on customers is minimal, only what I need to actually perform the service for them.
And actually storing bank details in a way that can be accessed over the internet??? are they mad?
Surely you have a one-way internal API call for that data, actual credit card data stored encrypted in that system and ONLY the payment processor should have access to the private key to decrypt?
If anyone thinking to join TalkTalk, dont. There is no legal obligation to encrypt data, but as the past has shown, there is a moral obligation. Because things like this will continue to happen and unencrypted data is a gold mine. I hope ICO nails them with a massive fine. And if you are on TalkTalk, keep all of this in mind when renewing your contract.
Encryption might not have made any difference. If they just used SQL to query the data out of the database then it doesn't matter if it was encrypted at rest or if the channels the data travelled over were encrypted.
Allowing SQL injection usually means you developed your website in an old framework that didn't block it by default (like classic ASP or early versions of RoR) or that your devs over-rode the defaults to make their code easier. Also that you didn't run any number of automated pen-test tools against the site. Or that you ignored the results if you did.
That is only true if talking about TDE (transparent data encryption). Which is only good for people that miss-place their servers/storage, or cant be bothered to destroy the drives with the sensitive data on it when finished with them.
If the data was encrypted at the application level then sql injection wouldn't work, it would need to be an application level exploit to get the data. If the data wasn't accessible by the web service (as it shouldnt be) and only tokenised and masked data then no data would have been available apart form the partial masked data needed for any comparisons in sql queries.
the off shoring is just a symptom, the reason the IT security is crap is because they don't care about security, they also don't care about IT, it's all just a cost centre that they want to make smaller. The offshoring is just a sign that talktalk don't give two fucks about customer security or IT in general.
I imagine that after a few more days of PR, Talk-Talk's share price will be in the toilet and there won't be anyone able to pursue fleeing subscribers and assess penalties owing to there not being any money left in the petty cash secure reserve (the tea caddy in the coffee room with a "petty cash" sticker on it).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
