back to article Here's how TalkTalk ducked and dived over THAT gigantic hack

It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised. TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million …

Why Is Dido Harding Still in a Job?

I had TalkTalk customer support call me up at the weekend, they had all my details. Allegedly my broadband account had been suspended and I needed to enter some details on their website to get it un-blocked.

Very authentic, they hardly spoke any English, just like the real TalTalk support :-(

53
0
Bronze badge

Re: Why Is Dido Harding Still in a Job?

That dildo woman should resign. She is a deceitful lying woman who is clearly not in proper control. Talktalk should "do right" by their customers by letting them leave. And she should get rid of the indian call centres.

17
3
Silver badge
Meh

Re: Why Is Dido Harding Still in a Job?

Because she is yet another example of the self declared "talent" whose chief function is to trouser wadloads of cash while keeping an eye out for the next revolving door opportunity.

I've always believed strongly in the concept of taking responsibility for things that happen "on my watch". She obviously doesn't.

27
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

Why Is Dido Harding Still in a Job?

She's not going to willingly walk away from a job where she got paid £7m last year just to inadequately oversee a collection of outsourced and offshored peasants, is she? And if she won't go willingly, who's going to sack her, the makeweights and free lunchers of the non-executive directors of TalkTalk? I think not.

The question is, why are you still paying your share of Ms Harding's vastly inflated remuneration? Terminate your contract with them, citing the Supply of Goods and Services Act 1982, and their failure to deliver the service with reasonable care and skill, offering as prima facie evidence the details of the call you had, and the fact that IT data breaches have been going on since at least 2007 but are readily avoided by the application of reasonable care and skill.

I can't see you having much joy with TalkTalk's infamously useless call centres, so probably better to do it as letter to Ms Harding herself at the registered office. She'll never see it, but a flunky will point it in the right direction. They can't dispute your claim using their T&C because statute law trumps the terms of any contract, and then their only grounds for dispute is to claim that a breach of over 1.1m customer records does count as reasonable care and skill, which won't stand up in the small claims court if that's where this goes. Here's a starter for ten:

https://www.citizensadvice.org.uk/consumer/template-letters/letters/problems-with-services/letter-to-end-contract-due-to-poor-work-and-lost-faith/

Or rather than letter, offer them notice of termination for the above reasons on one of their social media forums. That way it's all in public view, and the press will be reading it.

33
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

They ring up people and want them to enter their details on any old website? Nice.

That's if it really was TalkTalk ringing you up. If not then your data's doing the rounds.

0
3
Silver badge

Re: Why Is Dido Harding Still in a Job?

I think you'll find you mean "Why is Dido Harding, <Cough> Baroness Harding of Winscombe <Cough>, still in a job?"

<Cough> Studied PPE at Oxford with David Cameron.

<Cough> Married to Conservative government Minister John Penrose.

Now you might very well think that the above facts could have a strong influence upon whether or not she keeps her job, despite her incompetence. But of course I couldn't possibly comment...

31
1
Silver badge

Re: Why Is Dido Harding Still in a Job?

I've always believed strongly in the concept of taking responsibility for things that happen "on my watch".

To quote Dilbert's PHB: "I can see why you're not in management."

9
0
Anonymous Coward

Re: Why Is Dido Harding Still in a Job?

More women need to be in these top positions to have management that is representative of society.

Or so we're told.

2
9

failure to deliver service with reasonable care and skill

Once you get told that your account is not longer working, by some illiterate non English speaking oik (that just happens to have all the data on you that Talk Talk requires to verify you) then you could assume, quite rightly that it IS an official contact from the supplier and all you have to do is tell them:

"OK, see to it the account remains suspended; I am going to get a decent ISP, please send the official communique in writing," and then tell them where to go.

Hint when speaking to people of that nature: Shout V loudly.

3
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

It's odd that the government hasn't made a bigger thing about the TalkTalk hack - after all, it is one of the largest leaks of personal information in the UK that hasn't been managed by the government, and they're always telling us about the threat of all things cyber.

Could it be that they don't want to draw attention to the incompetent Dido Harding being a colleague of Cameron's at Oxford PPE, a Tory peer and married to John Penrose MP Lord Commissioner of Her Majesty's Treasury, and assistant government whip?

15
0
Silver badge
Devil

Re: Why Is Dido Harding Still in a Job?

"I've always believed strongly in the concept of taking responsibility for things that happen "on my watch". She obviously doesn't."

Which means you have ethics and thus can never, ever be a C-suite resident.

3
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

Extremely appropriate, since David Cameron is a PR man (which is why he fronts the Conservative Party) and TalkTalk sounds more like a PR company than anything to do with modern communications.

Politics, philosophy and economics sounds to me like the only subject at Oxford where you need just 33% to get a First, so long as it's the politics bit.

2
0
Anonymous Coward

Re: Why Is Dido Harding Still in a Job?

I had a suspicious call here late last week too; dreadful line quality, so couldn't make out what they were saying, in a blatant foreign accent, so warned them off and hung up, because it couldn't be a professional caller...

Social Engineer me, ha not happening; I've security aware and have ample security training at work!

I'll query dubious account security checks by any kind of service providers who I call or call me, because I don't want the information to be misused or faulty security to allow miscreants access to my accounts. I have ID protection anyway, because it is only a matter of time before a service provider cocks up.

0
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

Sounds like you already got "socially engineered", as ID protection isn't even worth the paper it's not written on.

What do they do to "protect" your ID?

2
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

I never get calls like this. If i did then id pass to my dog,he loves chatting on the phone depending on what is on TV (bake off makes him go nuts)

0
0
Silver badge

Re: Why Is Dido Harding Still in a Job?

Well that is a moot point - of course she is very representative of society - venal incompetent and overweight - but are these qualities you want in a CEO?

1
0
Unhappy

Re: Why Is Dido Harding Still in a Job?

I think you'll find that *Baroness* Dido Harding, if you please, is a member of the Government's Business Advisory Group, so no doubt we can look forward to a great many more of these scandals in the future.

https://www.gov.uk/government/news/business-advisory-group

Her husband John Penrose MP is Lord Commissioner (HM Treasury) (Whip) and also Parliamentary Secretary to the Cabinet Office.

So I don't think she's going to be coming in for any criticism from anyone who matters - a group that excludes any TalkTalk customers.

1
0
Big Brother

Re: Why Is Dido Harding Still in a Job?

Like so many of her ilk, she's still in a job because her name is still on the Christmas card list of the Address Book clique that runs so much of this country. As her Christmas card sharing friend David Cameron once said to his Christmas card sharing friend Rebekkah Brooks: LOL.

As in: Linger On, Lying.

0
0
FAIL

Re: Why Is Dido Harding Still in a Job?

I'm pretty sure misogyny has no place here. Incompetence and failure are not gender-related issues. Dido needs to go, but it's for other, less obnoxious, reasons.

0
0

Talktalk have never been a real ISP in any way. They are basically a shell, with everything outsourced and offshored. They have negligible support or customer service infrastructure. This has been the case since the very beginning. If you use them for anything, this is who you are giving your money to.

12
0
Bronze badge

fuck this makes me angry!

"No banking details have been taken that you wouldn't already be sharing when you write a cheque or give to someone so they can pay money into your account."

A few years ago, we rather foolishly left our account details on our website for people to pay us, and we had a dozen or so direct debits set up through our account. Scammers can use these details to order services, sell them to their marks, and then run off with the cash, whilst the mark realises a few days later that the service was never paid for.

No checks are done when setting up direct debits.

17
1
Silver badge

Re: fuck this makes me angry!

Indeed. Wasn't it Jeremy Clarkson who famously published his bank details in a newspaper, claiming there was no possible security issue with letting everyone know them, and promptly had a reasonably large donation to charity taken from his account? I might be happy handing over the occasional cheque or giving my account details to a friend or customer, but that's a rather smaller pool with a much lower likelihood of fraud than "everyone on the internet". Someone like Clarkson might not be expected to know any better (although presumably he does now), but you'd rather hope that a company with a legal responsibility to protect data properly would take things a little more seriously.

24
0

Re: fuck this makes me angry!

'No checks are done when setting up direct debits'

Should that be a necessity now as that could well be a chink in the armour.

1
0

Re: fuck this makes me angry!

@J3D1 Maybe not. Direct Debits allow companies to be reliably paid on time. The alternative is sending bills and waiting for customers to pay up, chasing with follow up demands etc which is less efficient and so more costly.

If there's the occasional fraudulent DD set up that companies/banks/whoever have to refund it may well be cheaper than having a more secure DD system that fewer people use.

Someone will be crunching the numbers, and I expect the current DD system will still be the cheapest.

1
3

Re: fuck this makes me angry!

That doesn't mean it can't be improved tho. All that is needed would be for you to log in to your bank and approve any direct debit that has been set up on your account in order to activate it within the 14 day cooling off period.

6
0
Silver badge

Re: fuck this makes me angry!

Yep according to this http://news.bbc.co.uk/1/hi/7174760.stm someone set up a £500 direct debit to Diabetes UK. Though I think it would have been funnier to have sent the money to Greenpeace.

5
1
Bronze badge

Re: fuck this makes me angry!

log in to your bank and approve any direct debit

Yeah, best of luck with that. My mother-in-law doesn't even own a computer, much less know which end of a mouse is which and while she's become quite adept at text messaging in the three or four years she's had a mobile phone, my dad can only just about remember how to operate the digital TV box and leaves "all that stuff" to my mum who at least knows where the power button is on her Mac (no mean feat!).

My own simple solution to a lot of the problems - if you never sign up for online banking or telephone banking then you know that if you get an email or a phonecall ostensibly from your bank it must be a scam.

But that does rather rely on having a branch nearby that I can go to when things need sorting. It works for me, but I know that there have been a lot of branch closures over the last 20 or so years and so it won't work for everyone.

Oh, and when I had my card details nicked a while back it was (almost certainly) in a branch of a well-known retailer (i.e. not online) and although my bank cancelled the card immediately we spotted the problem, neither we nor they spotted for a further few months that a Continuous Card Payment had also been set up for a £7/month subscription and - guess what - even though the old card was cancelled and I was issued with a new one, the CCP was automatically rolled-over to the new card. You'd have thought that a subscription would have an address attached, but I doubt anyone would bother to check...

M.

10
0

Re: fuck this makes me angry!

" log in to your bank and approve any direct debit "

That potentially opens a lot of attack vectors (*) to shut down one. And requires you to trust your bank's security.

(*) keyloggers, accessing your bank account via your email, scam mails, banking app etc

0
0

Re: fuck this makes me angry!

@Rimpel

If I setup a new recipient via internet banking (I haven't tried DD), I'm required to go through a telephone authorization procedure before it's activated. I can't see that it would be difficult to implement this for DD.

1
0

Untrusted Media

And whilst all this is going on, our friends at Sky and the Beeb mouth the press releases to camera without questioning any of the inconsistencies. For an entire day, the Beeb was putting out the Dodi-DDOS line with 'experts' like Rory Cellan Jones 'explaining' what it means to we, the little people. This is the new 'digital' media as they keep telling us as if they know squat.

Again (and again and again), big business sailing too close to the wind with razor-thin operations with no talent making a farce of service with our personal and financial information. And not giving a sh...

15
0

Getting rid of schmucks

That doesn't sound very British, so I suppose the BBC will be keeping Rory Cellan Jones, foreskin and all.

0
0
Silver badge

cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent

It was SQL injection, a 10-year-old attack vector, FFS! Any system that isn't written and supported by buffoons should repel it as easily as Dildo shrugging off blame.

It's as if a car manufacturer sold a new car that can go at 100 mph, which turns out to use the brake technology from a 1908 Model T. They would be liable for the subsequent deaths and injuries.

11
0

"It's as if a car manufacturer sold a new car that can go at 100 mph, which turns out to use the brake technology from a 1908 Model T. They would be liable for the subsequent deaths and injuries."

"It's as if a broadband supplier sold a package that can go at 50Mb/s and throttled it to 10KB/s. They would be liable for errrrrr mumble mumble mumble."

As you were.

9
0
Anonymous Coward

SQL injection? Based on what evidence?

2
0

This post has been deleted by its author

Bronze badge
Meh

There is no excuse for building dynamic SQL directly as bare strings at all, that includes template APIs which don't know about SQL escaping. Developers should use either a mature SQL builder API or a mature persistence API which automatically append SQL escaped values or uses parametrised SQL. All code should be routinely security audited and upgraded, that also includes early rejection of bad parameter values which could cause denial of service, database data-type specific exploits or value reflection exploits.

All software architects, designers and developers should be security aware, because vulnerabilities can be quite subtle and much harder to fix later; this gets even more complex on distributed systems like cloud systems.

0
0
Anonymous Coward

Let's try to weather the storm

they said. And the gamble's paid off.

4
0
Silver badge

Re: Let's try to weather the storm

And the gamble's paid off.

Only so far. According to one of the Reg hosted whitepapers on data breaches, the average cost of a data breach (investigation, resolution, restitution, trust winback campaigns, lost business) is over £100 per record. If that plays out true to form for TalkTalk, then this is a £100m+ hit. I have a suspicion that because of the high churn rate in telecoms reselling, and the vast publicity this has had that the costs to TalkTalk could easily be a lot higher. They've just had to pull all their marketing campaigns, and those are probably contractually committed costs, so they won't be seeing their money back, and that will affect customer acquisition rates. The sales teams are (hopefully!) sitting on their arses waiting for a phone to ring (and hopefully, again) when it does ring, its a wrong number or a scammer asking if they've been missold PPI.

I was subject to data breach by the incompetent fuckers at a Dixons Carphone subsidiary a few months back. Funny isn't it that the chairman of both Dickhead Carphone plc and of TalkTalk plc is Charles Dunstone? Could it be that he fosters a "think of the money" culture that puts short term profits ahead of customers every time?

I'd like to nominate Dunstone for a board position with Thomas Cook - they appear to have the same values.

5
0

Re: Let's try to weather the storm

@Ledswinger

"I have a suspicion that because of the high churn rate in telecoms reselling, give

it 6 - 12 months for people to forget and people will sign up" <- fixed it for you

ElReg commentards will remember but there's a lot of people that don't follow this and will just go for a cheap deal at any given time.

0
0
Anonymous Coward

Direct debit

got a DD due to go out on Thursday, wonder if theyll have to cheek to try it? Bank already been told to decline all DDs from Talk Talk, and Talk Talk call centre been told I'll be leaving it like that until an satisfactory explanation given .....

1
0
Silver badge

Re: Direct debit

I'd make sure that you have a copy of that bank instruction in writing. Then I'd still check my account the next day.

5
0
Anonymous Coward

Re: Direct debit

i do, and i did.

Talk Talk, however, have said they'll charge me £10 for any rejected direct debit ...

0
0
Anonymous Coward

All of the card protection and data protection stuff is a complete waste of time. Good luck convincing the board to fork out on doing anything properly ever again in the security world.

Also all the talk about credit cards, I'm pretty sure that with all the personal data that's gone missing people can steal your identity.

0
0
Bronze badge
Meh

PCI and the Data Protection people should have mandatory fines and even loss of merchant status, so that there is no choice; PCI should forbid personal detail leaks too because the card issuers rely on personal details for customer anti-fraud enquiry authentication. Yes, ID theft is possible, as is Social Engineering, especially when joined up with other data sources.

Point of Sale (shop till) software seems to be migrating to using security hardened, external services and devices to handle credit cards and user information for robust security, less need for PCI-* certification, and for flexibility; there is no reason that web software can't do the same. If any user data could be captured, it should be orders of magnitude smaller quantity of transactions.

1
0
Anonymous Coward

The effects of this could reach further than you'd think.

In York a company called City Fibre are currently installing the first widespread FTTH infrastructure ( 1GB, both directions) in the UK, primarily to evaluate the commercial viability of such schemes. Now, can you guess which ISP they've signed up with to sell this to the homeowners, many of who will already have access to Virgin FTTC cable ?

0
0
Boffin

Wouldn't that make City Fibre a TalkTalk wholesale reseller? In that case, the consumers would have contracts with them rather than TalkTalk, so TalkTalk won't have most of the information. I'm also assuming that CF have rather better than the TT level of data security…

(Also, doesn't stealing data imply removal of said data from its original location? If the data remains there, it's not stolen, merely illegally duplicated…)

0
0
Silver badge

"Wouldn't that make City Fibre a TalkTalk wholesale reseller?"

Yup. And there are a lot of smaller ISPs who are in the same boat. Mine is one of them.

My DSL box has been hit so hard with external attacks over the last few weeks that it's been periodically rebooting when it runs out of ram to keep the logs in.

0
0
Bronze badge

Isn't it about time TalkTalk just held their hands up and accepted they were stupid, apologise properly and give a detailed explanation of what went wrong.

2
0
Silver badge

Isn't it about time TalkTalk just held their hands up and accepted they were stupid, apologise properly and give a detailed explanation of what went wrong.

Ladies & Gentlemen, I offer you incontrovertible proof that aliens both exist, and live amongst us here on planet Earth. The look like us, they sound like us, but they are still struggling to understand how and why things work as they do.

10
3
Bronze badge

I perfectly understand how things work but that doesn't mean they should work that way.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017