back to article TalkTalk offers customer £30.20 'final settlement' after crims nick £3,500

TalkTalk is trying and failing to mend its broken customer relationships following the recent mega breach, in one case offering an individual who had £3,500 stolen from his personal bank account £30.20 as a “good will gesture [and] final settlement” by way of compensation when he tried to get out of his contract. Ian …

Anonymous Coward

I never thought I'd live to see the day my home town got a mention in El Reg and now it's linked with UFOs. I must say I don't know any Rimmingtons and with such a name he probably lives in one of the posher parts even more so if a UFO hovered above his house. I doubt any self respecting UFO would warp over our estate and it definitely wouldn't hang about hovering. That said, it's a grand place.

1
0

Ossett ...

Bloody hell, is commentard-land populated only by us Osset dwellers ?

I guess the motto "Inutile Utile Ex Arte" fits here perfectly.

WaveyDavey (Just off Towngate)

1
0

@WaveyDavey

The only thing that is "inutile" round this forum is TalkTalk security response

1
0
Anonymous Coward

Re: Ossett ...

>Just off Towngate - Milner way/Flushdyke side? I remember when that wer all fields.We used to walk over them fields to Flushdyke school, if we were late, headmaster would smack our arses and if any dust flew up, supposedly indicating we'd been playing he'd whack us some more.

0
0

Re: Ossett ...

Nah - Broadowler Lane. Still, I'm a relative newcomer, only moved here 17 years ago. And unless someone gave me pots of money to emigrate to NZ, I can't see me leaving any time soon.

0
0
Anonymous Coward

Re: Ossett ...

Is this turning into a love fest? For two weeks of the year we are neighbours. Our roads cross, literally.

0
0
Silver badge
Headmaster

Re: Ossett ...

Where us poor sods that were considered too bright to go to Horbury Secondary Modern got to walk up Storrs Hill and go to Ossett Comp instead.

(If I'm so smart, why aren't I rich?)

0
0
Anonymous Coward

Re: Ossett ...

Ossett ?

Posh buggers.

Then again, we were forced to go to QEGS if we showed any indication of intelligence.

(Mike - from Independant Republic of Barnsley)

0
0
Anonymous Coward

Re: Ossett ...

>Storrs Hill - That hill was a bugger at the end of the cross-country.

0
0

Re: Ossett ...

Go on, I'll bite - which road are you on that crosses Broadowler? I'm not a mad stalker, honest.

And re Ossett comp - third of my brood passing through that mill. School has been both amazingly good and appallingly bad in turn, over the years.

0
0
Anonymous Coward

Re: Ossett ...

You can hardly stalk an AC. Strictly speaking it touches not crosses, I employed a bit of poetic license. I was born in the front room of a house on the council estate and go back for holiday every year.

0
0

Re: @WaveyDavey

But is it "Ex Arte" or ex parte?

I think somebody needs a good thrashing from his house master and a good gallop around the quad to aid his diction.

Should that fail a trip to matron, for one of her favoured cough and drop remedies that she likes the older boys to do should suffice.

1
0
Anonymous Coward

Re: @WaveyDavey

"But is it "Ex Arte" or ex parte?"

In Osset, it's Artex and Anaglyptae.

1
0
Silver badge

Re: Ossett ...

>Storrs Hill - That hill was a bugger at the end of the cross-country.

Aye, and climbing it every day didn't make it any flatter.

@Mike - My father went to QEGS and ended up a lorry driver; my grandfather went to QEGS and ended up a coal miner. Ossett Comp was on the whole I think an improvement; although I didn't attend university straight after school (to the headmaster's annoyance) I was the first in my family to have a Bachelor's or Master's degree.

0
0

Case proven

I thought they were a nasty money grabbing bunch of tossers.

Now I am certain.

13
0

Small claims court

Talk Talk have a legal obligation to ensure that they store personal information securely. If they didn't refund all of my lost money then I would file a claim for actual damages and distress caused by the abuse of my data protection rights in the small claims court.

10
0

Re: Small claims court

And you'd prove to the court that your specific losses were caused by the Talk Talk breach how exactly?

Don't get me wrong, TT have been grossly negligent and should be fined a huge amount by the regulator/government and some high level executives should see prison time but there have been data breaches before and I'm not aware of a single case of someone linking a financial loss to the breach.

The chances are that it's pure coincidence this gentleman had £3500 nicked a couple of days after this breach but that's not really the point of this article. To charge him, and any other customers who want to leave, an early termination charge is shockingly bad PR from Talk Talk.

7
0
Silver badge

Re: Small claims court

This appears to me to be the key point on which everything in this case rests.

The customer cannot prove that his money disappearing had anything to do with Talk Talk. It happened a couple of days after they lost customer personal details. And Talk Talk do appear to have been really slack in their security. But that's it. There is nothing that definitely shows there is any relationship between the two events.

I know everyone is keen to join in with the pile-on, and perhaps Talk Talk deserve it. But this case of the missing £3.5k is really weak and doesn't stand up to any scrutiny.

1
0
Silver badge
Stop

Re: Small claims court

You've just let TT set the agenda. The slack security (three times over the last year no less) shows they've not taken the DPA and Supply of Goods and Services Act seriously and are not competent enough to provide the service.

That aside, TT trying to charge a leaving fee after going on record as saying they wouldn't if money was taken from bank accounts on or after the 21st of October allows you to argue they're acting in bad faith.

1
0
Anonymous Coward

Re: Small claims court

I reckon he actually lost the cash in the pub on a Saturday night, and is trying to get out of the inevitable bollocking his wife wants to give him.

0
0

Re: Small claims court

The burden of proof in the civil courts is upon the "balance of probablities" not the "beyond reasonable doubt" requirement of criminal courts.

Therefore, the fact that TT have confessed to a breach of their IT systems would be sufficient for a District Judge to ask them what, precisely, they know about what was taken. If TT cannot, or will not, answer, a DJ would be within their right to view the claiments loss as one of TT's making on the "balance of probabalities."

Given all of the above, TT would be insane to risk this matter being exposed in a public court so would almost certainly be advised to settle out of court on a non-disclosure basis. I'll lay odds that this is the game they are playing.

0
0
Silver badge
Stop

This needs a high court precedent set

a data breach of this magnitude should be considered a priori evidence of the failure of the company to adhere to it's own data protection policy, and therefore a breach of contract.

Can we have a Judge Dredd icon ? (And maybe, following Private Eyes example, a "Judge Dreadful" icon for numpty judgements ?)

14
0
WTF?

Re: This needs a high court precedent set

If you reading are around, you'll see the Establishment in the English speaking nations, are not too keen on allowing "there was massive snooping/hacking/release of information and you say I have to prove harm?".

I'm not sure I know the answer, but without the negative feedback loop (i.e. via loss of cash), I don't see it improving.

Add to those problems, the irrational blurb coming from the UK/USA politicians magical thinking, and we have chaos being exploited by criminals.

P.

0
0

I wonder if Dido's bonus this year will be more than £30.20?

18
0
Silver badge
Unhappy

Lots lots more. Next question....

0
0
Silver badge

From TalkTalk:

"In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber attack (rather than as a result of any information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees."

The bit about 'rather than as a result of any information given out by a customer' is a nasty bit of legalese that allows them to avoid paying *any* compensation. The fraud only works because customers are convinced that the fraudsters are genuine TalkTalk reps. And the fraudsters are only in that position because TalkTalk failed to secure their data.

As soon as a customer provides a fraudster with *any* additional information on top of the names, phone numbers, account details and some bank details TalkTalk couldn't be bothered to secure - they can't request a no-fee termination of contract.

Has anyone had any success in leaving TalkTalk for claiming a breach of Section 18 of their terms and conditions which says: ‘We’re committed to protecting and preserving any information you give to us.’?

And nothing from Dido about TalkTalk repaying customers' money lost to fraudsters.

4
0
Anonymous Coward

@From Talk Talk

>In the unlikely event that money is stolen - That is irrelevant to a security breach. You don't need to prove that the data obtained was used illegally or just sat on. That the breach occured is at issue. They are weasel words which don't count beans.

3
0
Silver badge
Devil

Fraudsters are only ringing because TT couldn't secure their data in the first place.

1
0
Silver badge

Leaving TalkTalk

"Has anyone had any success in leaving TalkTalk for claiming a breach of Section 18 of their terms and conditions"

Not that section but I simply told them that after several months of failing to provide what they had contracted to (80Mb/s FTTC), they were in breach of contract as the service was unfit for the purpose for which it was sold and if they wanted to try and impose penalties I would take them to small claims for the 13 failed contractor visits at 1/2 day each time and £50/hour during those 1/2 days based on my lost wages and holiday time.

Unsurprisngly, that shut them up, other than a bleat that their T&C had an explicit "we have no financial liability" clause - once I brought up the "unfair terms in consumer contracts" laws they went silent.

My new ISP had replacement DSL in service on day 1 of the contract and when Openreach failed to show up (as usual) they were on the case the same day, resulting in someone arriving within 4 hours of the failed visit (none of the TT "you have to wait 8 days" bullshit) and sorting it out.

0
0

If that's their good will...

...I hate to think what their ill will might be like!

10
0

Re: If that's their good will...

Well there's a picture of it atop this article.

1
0

Re: If that's their good will...

Their "ill will" is forcing you to remain as a customer...

3
0
Anonymous Coward

Where are the...

Ambulance chasing lawyers when you need them?

In any event, T-T are clearly breaking their promises to waive a termination fee. He should grab a copy of the Website and their response and take it all to the ICO and thence to the court.

T-T are still advertising on TV. Anyone signing up with them at the moment clearly need their head examining.

7
0
Anonymous Coward

Re: Where are the...

After all the legislation limiting damages and budget cuts that made it impossible to actually get cases to trial, we bailed on the legal profession and all became IT architects, administrators and developers. Those without the talent to succeed in any of those roles became PHBs.

Personally, at this point I'm thinking a 3rd career as an auditor might be a good move.

And an opportunity for some pay-back.

0
0
Silver badge

Re: Where are the...

"He should grab a copy of the Website and their response and take it all to the ICO and thence to the court."

His _first_ visit should be to his local trading standards office.

Misleading advertising is a serious offence.

0
0

Tokenised?

Credit and debit card details were tokenised, which is a standard higher than encryption

Can anyone explain what this means? As far as I know, there are two ways of hiding sensitive information.

It can be stored as a hash of the plaintext, which can then only be recovered by finding a value that results in the same hash (rainbow tables). This process may be made more difficult by obfuscating the plaintext (salting). I can't see any reason why TalkTalk would store hashed card numbers, since the process is one-way, and the only point of storing the card number is to use it to apply a charge. Alternatively it can be encrypted, in which case the plaintext is recoverable, either by decryption or by breaking the cipher.

If the TalkTalk process "is a standard higher than encryption", what type of encryption is it better than? Caesar substitution? Is it a one-way process, in which case it's basically a hash, or two-way, in which case it's a cipher? Either way, they need to identify the algorithm: it's well known that knit-your-own security solutions are always feeble.

16
0

Re: Tokenised?

This is a description from Wikipedia https://en.wikipedia.org/wiki/Tokenization_(data_security)

Basically, it's described as a substitution process, so the real information is replaced by a "token" that has no direct relevance to the data it replaces. (e.g. an address replaced by a numerical sequence)

However, if part of the data that was stolen included the database of tokens, then effectively you've handed over the keys to the castle, so bugger all security there.

7
0
Silver badge

Re: Tokenised?

I *think* that what it essentially means is that they aren't storing the card details themselves but pass them on to their payment processor who supplies them with a code (token) related to that card's details, which they can then use to process the payments each month. This way they don't have the same level of compliance testing as they aren't storing card details themselves, and the payment processor *should* only allow transactions using the token to process payments submitted by, and directing payments to, T-T.

5
0
Silver badge

Re: Tokenised?

My guess would be they are saying there is only a pointer, index or indicator to where the actual credit card data is stored. Having only that data doesn't get you the actual credit card data, and there's no way to tell which credit card data it would be, so therefore safer than encryption which potentially could be decrypted.

2
0

Re: Tokenised?

When you take continuous payment authority on a card the token comes from the payment processor. You then keep the token and throw away the card details. The advantage being any subsequent payments are linked to that token so if it is compromised it can be revoked and the card is still safe. And the payment processor will then also know where the compromise occurred.

1
0

Re: Tokenised?

@Tony S: Thanks for the link - I didn't know about tokenisation. If the token is generated by the card company and is specific to the merchant, then it's obviously of limited value if stolen.

0
0

Re: Tokenised?

Tokenisation is a mechanism by which the secure data (in this case, and usually, the CC number, etc.) are passed to a separate part of the infrastructure (or a 3rd party) and a token is returned as a reference. The token has no intrinsic value, but can be used to utilise the secure data.

The obvious advantage of this is that a breech doesn't give out credit card info in any form, encrypted or otherwise. If someone gets access to the tokens then the part of the infrastructure (or the 3rd party, if one is being used) should only allow access to the secured data for a valid token from a valid source using some properly secured mechanism, making it relatively easy to secure the confidential info e.g. by having the secure data stored on a private, possibly non-Internet accessible network that is only accessible from the company's sites (or more likely, very specific servers at said sites).

This is a pretty common approach as part of gaining PCI compliance for companies that process CC info, but of course it is mostly only used for the credit card data, not the rest of the personal data so if the personal data other than the CC info allows people to be conned out of cash (or have their money taken directly through some route other than their CC) then it isn't a panacea.

0
0

Re: Tokenised?

I think they mean, that saying your data is safe is nothing more than a token gesture !!, We've seen them struggle with explanations before, you know, like that sequential attack !!

2
0

Re: Tokenised?

Tony S - yes, though any set up that has been properly designed won't allow access to the 'real' secure data using the tokens without additional authentication and/or IP based filters. I used to use a tokenised payment gateway in a previous life and getting the tokens from us would have been only one part of a pretty extensive hack. Nothing is impossible, but the tokens alone shouldn't be the keys to the castle.

Hard to comment on whether TT have done things properly, of course...

0
0
Silver badge

Re: Tokenised?

"You then keep the token and throw away the card details."

Except they kept partial details because that's what was listed as part of the data that was leaked. And those card details might be enough to persuade the recipient of a call that they're dealing with a genuine trader.

0
0
Silver badge

Re: Tokenised?

> If the TalkTalk process "is a standard higher than encryption", what type of encryption is it better than?

Most other companies only apply ROT13 once.

2
0

What about the banks?

Not the usual "it's the bankers" angle, but surely if a bank has handed out a large stack of money to someone who was not authorised then that is the bank's fault? I seem to recall a related Mitchell&Webb mini-documentary on banks and identity theft...

It doesn't let TalkTalk off the hook but are there not supposed to be lots of guarantees etc with bank accounts and/or cards (even debit ones) such that the account holder can get a refund? Doesn't undo the hassle but surely makes it less fatal.

Actual genuine question (sorry).

2
0

Re: What about the banks?

If you're a bank and I hand you some details and an amount I want, how do you know if I'm Fraudsters Inc. or the local corner shop?

0
0
Anonymous Coward

Re: What about the banks?

It makes for a much less interesting story, but yes, the bank will have returned the £3.5K to his account, cancelled his cards and pursued the merchant for the money back and possibly reported it to the police to investigate.

Hassle, sure (happened to me recently and also my wife a month or so later), but probably not related to Talk Talk and TT certainly aren't responsible for returning the £3.5K.

2
0

So it's true.

TalkTalk is indeed cheap.

5
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018