back to article Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed

Chaos reigns at TalkTalk as the telco appears to be claiming that a distributed denial of service (DDoS) attack led to customer data being compromised – despite that being technically infeasible. A contradictory series of claims in a TalkTalk statement published this morning has suggested the company does not understand the …

Silver badge

Re: Actual e-mail received from Talk Talk

"Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security."

Which implies totally insecure practice of storing password in plain text or at best encrypted but can be easily decrypted internally (and so is not really much better than plaintext).

Not that hashed passwords are safe, but at least more effort is required (and if using salts can be quite secure, esp if salts stored elsewhere so a theft of user "credentials" data needs breach of 2 systems)

7
0

Re: Actual e-mail received from Talk Talk

Seems like you should be able to bill them for the time you spend keeping an eye on your accounts.

2
0
Anonymous Coward

Re: Actual e-mail received from Talk Talk

...unfortunately there is a chance that some of the following data may have been accessed:

• Names

• Addresses

• Date of birth

• Phone numbers

• Email addresses

• TalkTalk account information

• Credit card details and/or bank details

WTF do they need your date of birth?

2
0

Re: Actual e-mail received from Talk Talk

It's exactly the same at plus.net, I raised a complaint pointing out that there password security was attrocious. One of the highlights of the response was this:

"Thank you for your further response, in regards to a question where you asked what is stopping our staff accessing you details and taking them out of the office. We are a paperless company so sensitive information cannot be written down. And all of our systems are monitored to prevent situation of fraud occurring.

In regards to asking for a password we are only allowed to ask for specific letters from your password. A password is between 8 and 16 characters in length and depending on what you use to make up your password indicates its strength, requesting two random characters would not decrease the strength of the password.

Then there is the fact that our chat services are very secure and only you and plusnet can view what you have written. The reason why we ask for part of your password is because it is the most secure piece of information that only you and Plusnet would know, rather than address, phone numbers, etc."

1
0
Silver badge

Re: Actual e-mail received from Talk Talk

We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched

What a terrible weasley way to put it.

Not, sorry we were opened up, but just sorry it's being investigated.

9
0

Re: Actual e-mail received from Talk Talk

To send you a happy birthday email, including an invitation to enjoy more of their fantastic services?

0
0
Silver badge

Re: Actual e-mail received from Talk Talk

>>"Thank you for your further response, in regards to a question where you asked what is stopping our staff accessing you details and taking them out of the office. We are a paperless company so sensitive information cannot be written down. And all of our systems are monitored to prevent situation of fraud occurring."

What? Do they have monitors walking up and down between the desks ensuring that there is no paper present and no pens or pencils? I don't believe that response for a moment. Surely they must have been laughing when they wrote that response.

2
0
Silver badge
Joke

Re: Actual e-mail received from Talk Talk

So, it's up to you to keep an eye on your account?

Why, would you rather Talk Talk did it?

2
0

Re: Actual e-mail received from Talk Talk

I got that email too. In HTML only - no seperate text-only part - with plenty of 'remote images' and clickable links, all to http:// URLs not https:// so anyone who's looking at their web traffic will now be able to collect even more information about their customers. (Not from me of course - my email client extracts plain text from HTML and ignores the rest).

TalkTalk only provide my landline telephone service, using BT infrastructure not 'LLU' - they aren't my ISP and never have been. Looks as though I'll be changing telco sometime soon ...

1
0
Anonymous Coward

Re: Actual e-mail received from Talk Talk

"We will only ever ask for two digits from it to protect your security."

Which implies totally insecure practice of storing password in plain text"

Not necessarily. Each digit/letter could be hashed and salted independently; it would enable this sort of check without saving anything in plaintext or decryptable format. Now as for the odds that TalkTalk indeed did this...

1
0
JLV
Silver badge

Re: Actual e-mail received from Talk Talk

+1

DoB probably has to do with minors and things they can/can not do.

However, what about:

- not asking for DoB for that purpose and asking for a Month/Year of birth instead? I made the same remark on my last census survey - month is plenty specific enough.

- how about everybody else clueing in that DoB is a lousy way to confirm identity, just like your mother's maiden name? Yes, it might have been usefully obscure information 30-40 years ago but now we have all sorts of basic info leaks and searchable genealogical databases can show up some pretty obscure family stuff as well. You shouldn't be getting penalized because some nimwits insist on issuing a CC with only cursory checks.

1
0

Re: Actual e-mail received from Talk Talk

"TalkTalk will also NEVER:

• Ask for your bank details to process a refund. If you are ever due a refund from us, we would only be able to process this if your bank details are already registered on our systems."

'For your convenience we hold these details, in an unencrypted form, on a database that is probably on the same server as our http website.'

0
0

Re: Actual e-mail received from Talk Talk

"We are a paperless company so sensitive information cannot be written down"

Holy crap!

Presumably any follow up questions would be answered with 'we do not allow cameraphones in the office and have strict policies against our employees from remembering stuff'

0
0
Silver badge

Welp that answers alot

Interview on the radio over lunchtime had the MD mentioning about an SQL injection attack.

If thats the case, it doesn't matter if the database was encrypted or not (note, encrypted, not hashed). If you can get a direct line to run queries, then unless the data is hashed as well (rendering it pretty much useless for anything other than confirming details like a password or username, unless I've missed a trick there) they've pretty much got the keys to the kingdom.

Also, if true then what sort of trained gibbon do they have running their IT to fall prey to the most basic of basic attacks? Secondly, data siloing, ever heard of it?

7
0
Silver badge

A tad harsh

SQL injection may be old hat, but it is an example of weak validation of input data (see also XSS). If your site contains many thousands of web pages, the chances that there will be examples of such errors are rather high - in my experience it's unusual for a web application vulnerability assessment not to turn up multiple occurrences, whether they have the potential to be a major or a minor breach is largely down to luck.

[Inevitable Bobby Tables reference]

1
0

Re: Welp that answers alot @Sgt_oddball

"what sort of trained gibbon do they have running their IT"

One that seems to need a lot more training!

1
0

DBFA

It might be a distributed brute force attack. The sudden deluge of traffic would (prima facie) suggest a DDoS attack, so the fact data was being leaked wouldn't necessarily be observed if the sys admins are running around like crazy to try to deal withthe problem they *think* is happening. In any case, customer data was not protected as it should have been.

2
0
Silver badge

I'm sure former Tesco phone/broadband customers...

... are feeling particularly aggrieved today.

0
0

TalkTalk are completely incompetent

TalkTalk are completely incompetent, and this news doesn't surprise me in the slightest. Recently, I've been migrating my Mum's email away from TalkTalk as a.) they're useless at spam filtering, and b.) Emails are taking up to 24 hours to rattle through their systems. Looking at the SMTP headers, mails just seem to disappear into a black hole for up to a day. If their mail infrastructure is anything to go by, a "DDoS" attack may have just been a few script kiddies reloading their home page and crashing the ZX Spectrum it's probably hosted on. Oh, and if you try and leave them, expect to still be billed and threatened with baliffs for months after you cancel your contract.

5
0
Silver badge

Re: TalkTalk are completely incompetent

They are not incompetent.

They are consistent -- there is the Tiscali effect.

0
0
E2

Re: TalkTalk are completely incompetent

Registered specifically to endorse your statement.

Hassled several times a day from some arseholes in the Philipines who did not even have reference to the UK credit control converations that had the process on hold while they verifies that Idid not owe money.

Statements from TT in the post threatening action had no registered company name and adresss, onlt the tradign name that I traced on the web. Companies House sadi I could report it to "technical offenses" - they should be chopping the legs off major companies deliberately doing this so that you have to go through their offshore call centres.

Strangely the only decent people in the process were the debt recovery agency.

1
0

Woop! There it is.

The ransom demand has just been issued. Your move TalkTalk, although I don't see what good paying up will do.

0
0
Silver badge

Things move on . . .

Now TalkTalk are being asked to cough up to get thier stuff back . . .

Where's the popcorn icon?

(my sympathies to anyone affected by this - especially if they really have got your info)

1
1
Silver badge

Re: Things move on . . .

Get their stuff back? This doesn't include their reputation, presumably.

1
0

Re: Things move on . . . (reputation)

It is a crying shame, that 2, or even 1 month later, the 'standard idiot' will have forgotten about the incident, and think 'hey that's a good deal, the ad looks lovely...' :O

0
0
Silver badge

I would love....

...the credit card companies and the ICO make a true example of them and hit them with maximum fines. That would really put the pressure on them and hopefully see a few heads roll at the top.

But of course, the ICO are likely to say "We've had a word with them and they said they won't do it again".

8
0
TVC

Re: I would love....

I believe that the penalty for non PCI-DSS compliance can result in the ability to process such information being removed by the bank - end of business?

1
0
Silver badge
FAIL

CEO on Newsnight

Talk Talk's CEO Dido Harding on Newsnight last night appeared to be spouting this sustained DDoS had led to data being stolen nonsense. I just put it down to her not having a clue, having not had things properly explained to her, or simply confused. It certainly looked like Talk Talk were in a state of panic. At one point I could have sworn I heard her suggest all customer data had been taken..

4
0
Anonymous Coward

Scandalous ignorance by Talk Talk.

0
0
Silver badge
Coat

Will Mark Hollis move ISPs?

Maybe I don't know if I should change

A feeling that we share, it's a shame

1
0

The End - hopfully.

Just another chapter in history for this company staffed ostensibly by a bunch of cowboys - playing fast and loose with customer's private data.

Hopefully this will be their downfall, the industry just doesn't need a shower of morons like Talk Talk.

4
0

data already being used?

Don't know if it this is related but our spam filters have picked up a batch of spam/malware emails all being sent from several different @talktalk.net email addresses to what appears to be a list of emails in address books.

Could just be a co-incidence or someone may already be exploiting the stolen data.

3
0
Silver badge

Might have been a couple of attacks ongoing, one being a loud distraction whilst something more subtle was actually slurping data while the managers run around screaming.

However Talk Talk hardly has a stellar reputation for customer service or straight talking.

1
0
WTF?

Coincidence?

My Dad is with TalkTalk, and several weeks ago they sent him an e-mail offering F-Secure "SuperSafe Boost" for "a tiny £2 a month". He did not take up the offer.

Then, just over a week ago he received an (unsolicited) e-mail directly from safeavenue@f-secure.com (confirmed by the headers and not just the "From:" address) , greeting him by name and offering what looks like a free 8-seat licence for "F-SECURE SAFE!".

So if TalkTalk have passed on his e-mail address and name to a third party, what else have they given away without permission?

mb

2
0
Bronze badge

Warn your old and technically illiterate relatives that there might be problems

Interestingly my parents are with Talk Talk through them having first signed up with Homechoice, which was in turn bought by Tiscali, which was bought by Talk Talk. They still have a Homechoice email address and I've warned them to be on the lookout for odd bank transactions and to change passwords etc.

However a long while ago I had the misfortune to have to contact Talk Talk customer technical support because the broadband was dead and I was getting complaints. I had already identified that the cable (they live somewhere rural with a telegraph pole supplying their landline/BB) from the pole to the house had suffered a direct hit from something (we thought a lorry) and was no longer connected to the house. I started the phone call informing the support bloke of this and asking for a BTOpenreach engineer to visit and fix it. When asked if there was an email address that they could be contacted on that didn't rely on their broadband being functional I said yes dodderyoldfolk1922andabit@Homechoice.co.uk which is available on their smart phones.

Bloke: "No you mean @talktalk.net don't you"

Me: "It's what I just said it was and I can spell it out phonetically if you need it."

Bloke: "You might want to switch to a Talk Talk email address you know"

Me: "Why?"

Bloke: "Well that domain's quite old you know"

Me:"So are my parents, and that's why we don't change things if at all possible. What does the age of the domain of the email address have to do with anything anyway?"

Bloke: "Well you know.......it might get switched off due to its age. We can't support everything indefinitely."

Me: "How long have you worked in this job"

Bloke: "A while"

Me: "Do you have any qualifications in anything IT related?"

Bloke: "I'm not sure I'm allowed to answer questions like that"

Me: "Okay, can Talk Talk not afford to keep the payments up on the homechoice.co.uk domain? It's not really that expensive is it? My domain name is a .com and only costs ~£10 a year."

Bloke: "I can't comment on the company or finances"

Me: "Okay then, any news on when you can get BTOpenreach to send someone round to look at the external cable?"

Bloke: "We have yet to determine where the fault has occurred"

Me: "Well the first step I would have thought would be to reconnect the landline through which the broadband reaches them wouldn't you? Would you like a picture of the cable hanging down from a telegraph pole to confirm it?"

Bloke: "................We'll send details of the first appointment available in an email to that address"

Me: "Thank you, I have to go now my head hurts".

9
0

Oh well, Life's What You Make It

Can't escape it.

1
0

ICO no better

I've not been able to get anywhere with Talktalk since their August hack of my data. So today I went to report my concern at the website of the Information Commissioner's Office.

1st question - Have you contacted the organisation? Yes.

2nd question - Have you received a full response? No.

At this point, the form terminates and I am advised to contact Talktalk. I phoned the ICO for advice and the telephonist told me they always advise that people should answer "yes" to Q2, even though the truth is "No", in order to be able to continue with the form!

What chaos!

6
0

Old news?

If only they had known about this some time ago...

https://paul.reviews/value-security-avoid-talktalk/

1
0
Bronze badge

Re: Old news?

That's quite some response he got from the TT lady, I wonder if she is still saying that today?

0
0
Silver badge

Re: Old news?

So this time last year Talk Talk was following Cameron's best practice for data at rest and in transit. Maybe encryption is useful after all.

2
0

This from a "communications" company:

Mrs Harding (from Talk Talk) added: "I know it feels like a very long time but at Wednesday lunchtime all we knew was that our website was running very slowly, that our email system was running slowly, and that is usually an indication that someone is trying to bombard your systems to get in. So we took the decision to bring down our systems right away, we then spent the next 24 hours trying to work out exactly how someone had got in and what data they had accessed.

FFS, put someone in front of the microphone who knows what they are talking about.

3
0

"FFS, put someone in front of the microphone who knows what they are talking about."

Nope, they won't do that. That is not the way of big business or marketing.

3
0
Bronze badge

This is Talk Talk. They don't employ people who know what they are talking about.

1
0

"...but at Wednesday lunchtime all we knew was that our website was running very slowly, that our email system was running slowly, and that is usually an indication that someone is trying to bombard your systems to get in."

They knew that the email system was running slowly on Tuesday afternoon, as I had a ticket open with them about it and the engineers were looking at it. Could that be related? (And my email was back up to speed on Wednesday...)

0
0

Same shit different day.

As usual from ANY telco (yes even your impervious saintly one) it's all just vile bullshit.

Love the latest update to thier posting about it.. Basically it says latest update 2pm.. and the update consisted of updating the timestamp from 11am to 2pm..

Fuck em all...

1
0
Silver badge

Re: Same shit different day.

Are really they all the same? I think I'd be more inclined to trust Zen or A&A over this shower of twatwombles.

2
0

TalkTalk Business also affected

Just had my email from TalkTalk business which has confirmed that they-re also affected. Unfortunately they've just copy pasted the email they sent to their residential customers, offering the same hopeless advice.

Free credit checking services like Noddle don't allow you to monitor your businesses credit file so don't help. Its TalkTalks incompetence that has allowed this to happen therefore I want to know how they plan to implement my ability for me to monitor my businesses credit file without incurring additional cost.

Like others I also want to know if I can cancel my contract without penalty as I no longer trust their competence. I also want to know how I can go about getting my details deleted from their systems permanently.

2
0
Anonymous Coward

Re: TalkTalk Business also affected

Good luck. If you find out, post it.

thanks.

0
0

Carphone and Talktalk: the same weakness?

Okay, a few months ago there was a breach at Carphone Warehouse (okay, Dixons Carphone), and my personal data was compromised. Now there is this one at TalkTalk, and my personal data has been compromised again.

CPW and Talktalk are separate companies, but they used to be the same company and one was spun off the other. I suspect they use a lot of the same systems, and share a lot of common code for their customer systems and/or websites. (To add to the complications, both companies are the product of a lot of mergers / acquisitions, so there are probably lots of barely compatible things lashed together as well).

I wonder if it is possible that both data breaches came from exploiting the same/similar weaknesses. It wouldn't surprise me at all if they did.

0
0

sh1t service

sh1t security

is there a pattern?

did0

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017