back to article Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed

Chaos reigns at TalkTalk as the telco appears to be claiming that a distributed denial of service (DDoS) attack led to customer data being compromised – despite that being technically infeasible. A contradictory series of claims in a TalkTalk statement published this morning has suggested the company does not understand the …

  1. Rono666

    This what happens when you sack the IT people when they have done all the work.

    1. Anonymous Coward
      Anonymous Coward

      I hardly think they'd "done all the work" if the reports here of the appallingly poor measures implemented to protect stored customer data are accurate.

      1. Dan 55 Silver badge
        Alert

        Maybe they did all the work about 10 years ago and since then got someone in to give the website a nice redesign every couple year or two. Something nice in PHP, say, which unfortunately doesn't sanitise input.

        1. smartypants

          Languages don't 'sanitise input'...

          Programs do.

          There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input. If there's anyone out there relying for their security on a choice of language, then they're not going to last very long because it is not going to help in the slightest.

          Perhaps there are some IT bods out there patting themselves on the back right now because they don't use PHP and are therefore 'secure'. Perhaps people this clueless were working at Talk-talk too.

          1. Vic

            Re: Languages don't 'sanitise input'...

            There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input.

            There *sort of* is.

            Most SQL databases allow "prepared statements", in which the SQL command - sans data - is set up, and the data then supplied to it. This means that the parsing of command vs. data occurs long before the data turns up. Thus, once the data is applied, the DB will not confuse the two; SQL injection is obviated, even if the programmer "forgets" to sanitise the data.

            Note, however, that the term "prepared statements" can be misused: I found a Python SQL library that promised prepared statements, but actually just used string formatting to create a simple statement. The result was that the library appeared to offer the protection I've outlined above, but actually didn't.

            Vic.

      2. John Smith 19 Gold badge
        Unhappy

        "appallingly poor measures implemented to protect stored customer data "

        Perhaps they where hoping their Chinese website spying partner would have alerted them to so much traffic, when they started running low on space to store so many users data flows?

        "Stalk Stalk" have let their customers down.

        Again.

    2. Anonymous Coward
      Anonymous Coward

      Expect more....

      This is an all too common theme.

      1) Outsource your IT (somewhere really cheap, no dedicated resource, high staff turn over - go on guess, you know where)

      2) Get rid of the only people who know how the systems work

      3) Put in management who only see security as a barrier to cheap infrastructure, and seek to undermine it whenever they can

      4) Have no processes in place to govern anything, let alone access to sensitive data

      Been there, seen it, tried to stop it. If only they did t-shirts.....

      1. Anonymous IV

        Re: Expect more....

        You didn't work for RBS, did you?

    3. Gordon 10 Silver badge

      WHERE IS THE CIO

      And why didn't he vet the press release?

      Even if the he's a PHB I would have expected clearer language than this. It's blatantly obvious that whoever wrote that release doesn't know a website from a webserver.

      Hmm - looks like they may have a "CTO" and that they are CIO-less at the moment. (Ad heavy links)

      http://www.computerweekly.com/feature/CIO-Interview-Gary-Steen-CTO-TalkTalk

      http://www.computerweekly.com/news/4500248681/Former-TalkTalk-CIO-to-lead-Police-ICT-Company

      1. illiad

        Re: WHERE IS THE CIO

        WHAT ADS??? :D :D thanks, adblock.... :) :P

  2. Anonymous Coward
    Anonymous Coward

    I blame North Korea, China or Russia, might as well get in there before it's announced.

    1. Anonymous Coward
      Anonymous Coward

      According to this article from a few minutes ago some miscreants are demanding money from TalkTalk.

      1. David McCarthy

        "Harding previously said the company had assumed a worst-case scenario that all the personal data relating to its customers was compromised until TalkTalk could confirm exactly what was taken. She has apologised to customers for the third cyber-attack affecting the telecommunications firm in the past 12 months, but said the breaches were “completely unrelated”.

        That is, only related by the fact that their security still isn't up to scratch!

    2. Oh Homer
      Big Brother

      Re: "I blame North Korea, China or Russia"

      Looks like someone beat you to it and has already blamed "Islamic extremists".

      Well, yes. Obviously.

      Basement-dwelling geeks and career criminals apparently feature very low on the British Establishment's list of likely suspects, strangely enough.

  3. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      A free subscription to identity theft protection by one of the credit reference agencies.

      1. mark 120

        Hopefully not Experian though, eh?

        1. Anonymous Coward
          Anonymous Coward

          "Hopefully not Experian though, eh"

          Experian - the Facebook of credit rating agencies.

          1. John Smith 19 Gold badge
            Unhappy

            Experian - the Facebook of credit rating agencies.

            Until Facebook takes over that task as well.

            With predictable consequences

            1. Anonymous Coward
              Anonymous Coward

              Re: Experian - the Facebook of credit rating agencies.

              "Until Facebook takes over that task as well."

              You do know that somebody in government wanted to use Facebook for reliable online identification of people?

              Presumably a senior civil servant who had been given an iPad for Christmas and now considered himself an expert on IT.

          2. illiad

            Re: "Hopefully not Experian though, eh"

            and they ask for ALL your numbers, even the one on the back - you dont really need all that cash, do you??? :D

      2. AlbertH
        Alert

        Are they for real?

        A free subscription to identity theft protection by one of the credit reference agencies.

        Bwahahahahaha!

        These cretins should be paying significant (ie: £ks) to every customer and their senior management should be in Court.

        Has anyone calculated the time required to change all ones Banking details, passwords and Credit / Debit cards? Has anyone actually put a figure on what this will cost each customer? TT shouldn't just offer a worthless "subscription" to Experian (who are entirely useless anyway) - they should be paying serious amounts of compensation to EVERY one of their customers.

    2. sysconfig

      Maybe the crims should just call TalkTalk and cancel all those accounts, as they apparently have all the data they need to do that. That would send a message that even management understands.

      1. Anonymous Coward
        Anonymous Coward

        Maybe the crims should just call TalkTalk and cancel all those accounts, as they apparently have all the data they need to do that. That would send a message that even management understands

        But how do you know your account has been compromised, it wont be from the bank still paying them, that's standard practice for TT?

        TT kept debiting me monthly for over 7 months after I left them, it took about 2 hours of phone calls and an email to a director to stop them, the crims would be bored shitless trying to cancel more than one in a lifetime

    3. macjules Silver badge

      So what kind of compensation arrangements do TalkTalk intend to offer?

      If you would trust us (again) with your credit card details, your bank details, your home address, date of birth and other personal details then we will send you a free voucher worth 1 hour of broadband usage against your monthly bill.

  4. hatti

    sql injectydddoss thingummajig

    "the following data may have been accessed"

    Most likely unencrypted then.

    1. Anonymous Coward
      Joke

      Re: sql injectydddoss thingummajig

      Oh no, pretty sure the disks were encrypted. Surely that's all you need to do isn't it?

    2. Halfmad

      Re: sql injectydddoss thingummajig

      "may" have been accessed that age old way of softening people up before admitting it too early on.

  5. Your alien overlord - fear me

    The DDos was actually 4 million credit card details being uploaded to the cybercrims. Takes a while and some bandwidth - obviuously not that I did it or anything. Now if you don't mind, just going to pop down to the Silk Road...

    1. Lee D Silver badge

      Sadly, even 4 million credit card details could probably fit on a floppy disk in a ZIP file nowadays. The bandwidth of that is likely zero.

      However, using a DDoS to distract IT and cover your tracks while you plunder their systems? That's an interesting tactic.

      1. cmannett85

        TalkTalk stores the data by writing it down and then talking a hi-res photos of it taken - that's how it's "encrypted".

        1. Martin Evans 1

          Use a doctor to write it down and a pharmcist to decrypt it. 83% secure on weekends

  6. Aristotles slow and dimwitted horse Silver badge

    Rewrote it for you...

    A representative who we can now only assume will be from TalkTalk claimed it was "contacting all our customers straight away to let them know what has happened and to update all of their nice scrummy payment and user credential information. We might keep them up to date as we learn more. But we might not. As might not actually be us."

    1. Floydian Slip
      FAIL

      Re: Rewrote it for you...

      Yep, they did contact their customers right away, by using the power of the media.

      Certainly didn't contact them in any other way

  7. David Lawrence

    The final straw

    Since they pretty much forced me to sign a two-year contract with them earlier this year, they have put their prices up twice, and now this FFS.

    It is also clear that they don't even know what actually happened and how much damage has actually been done. On the face of it, my personal details were stolen via a sustained DDoS attack. Hmm. Utter bullshit.

    Well I'm off and just let them try levying any termination fees. Its a shame as their TV box is really nice and the (fibre) broadband is pretty good too. Freeview + another ISP + another phone provider = cheaper monthly payments for me anyway so good riddance.

  8. nigel 15

    Sustained???

    They are saying this attack was sustained. In which case how was the data stolen?

    It looks to me like they were distracted by a DDoS, that is the sustained bit. Instead of pulling the servers, they were focused on that and missed the penetration. They handled it badly.

    On another note. How do you DDoS a frikin ISP.

    1. Quinnicus

      Re: Sustained???

      On another note. How do you DDoS a frikin ISP.

      Use more and bigger hammers

    2. rh587 Bronze badge

      Re: Sustained???

      "On another note. How do you DDoS a frikin ISP."

      Their applications and services are hosted on servers. Same as the rest of us. You don't have to saturate their network if your attack is designed to bog down their compute resource.

    3. Tim Jenkins

      Re: Sustained???

      "they were distracted by a DDoS, that is the sustained bit. Instead of pulling the servers, they were focused on that and missed the penetration"

      Wasn't that exactly what happened in one of the the big Sony breaches, where the perps used a DDOS to hide the exfiltration of TBs of data?

      Can't imagine even 4 million sets of customer details would be within a few orders of magnitude of that size, though...

      1. nkuk

        Re: Sustained???

        Apparently its a very common technique. Bang hard on the front door and sneak in round the back.

    4. Brewster's Angle Grinder Silver badge

      Re: Sustained???

      Pure speculation, but sending billions of password requests would look like a DDos. And once in a while, one would succeed and the crims would get the user's data. You'd need some poor web design -- e.g. a broken nonce and a system that makes it easy to enumerate users (say nearly sequential account numbers.) Throw in some verbose logging so that the logs hit a quota and most of what's happened is overwritten or not written, because the log is full. It's a line through all the data points.

  9. MarkItZer0

    As secure as possible != encrypted

    Encryption is not a magic, all securing operation - it doesn't mean that data retrieved from the database is automatically rendered unusable. If the data was encrypted at database server or OS level (which is fine under PCI DSS), and there was an application exploit used to extract it (say SQL injection), then the database and OS would dutifully decrypt the data for the application's use, therefore the security flaw would mean the hacker gets the decrypted data anyway.

    The focus should be on application security rather than on encryption. It is possible to encrypt database rows and columns using a key from the application server. However, again as the application server needs to encrypt/decrypt per query, a SQLi attack will probably succeed. It is possible, although very difficult in practise, to implement row encryption in a web application. Complexity is the enemy of security - keep things simple and concentrate on security testing and plugging those vulnerabilities rather than adding unnecessary encryption to stored data.

    1. ZanzibarRastapopulous

      Re: As secure as possible != encrypted

      On the other hand the way that this has been reported shows that it makes sense to stick everything on an encrypted disk just so you can say "Yes it was all encrypted" with total confidence.

  10. Anonymous Coward
    Anonymous Coward

    It's the 3rd time in one year?

    What's going on there? At which point is there going to be customer backlash?

    February 2015:

    http://www.itgovernance.co.uk/blog/fraud-risk-for-thousands-of-talktalk-customers-following-data-breach-some-have-already-lost-thousands-of-pounds/

    August 2015:

    http://geekpower.co.uk/2015/08/carphone-warehouse-talktalk-leak-2-4-million-customers-details/

    1. Anonymous Coward
      Terminator

      Re: It's the 3rd time in one year?

      Surely any of their customers who have a clue about this kind of thing will have walked long ago?

    2. Shooter

      Re: It's the 3rd time in one year?

      Patience - the year isn't over yet.

  11. Anonymous Coward
    Anonymous Coward

    Password brute force

    If their description is in any way accurate, its possible that someone was just brute-forcing the user account population against known potential candidates. Anyone know what data would be visible if you logged in as yourself? Not that we should be treating this stuff as secret in this day and age...

    1. Anonymous Coward
      Anonymous Coward

      Re: Password brute force

      Take a look at the pastebin stuff...they could see a lot of databases and the user account info was more than a screenscrape could get you...they have the customer orders table and the password change log table.

  12. Mike Wood

    Actual e-mail received from Talk Talk

    Hi,

    Here is the actual e-mail e-mailed to me this morning but only to one of the accounts I have with them:-

    Dear Mr Michael Wood,

    We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:

    • Names

    • Addresses

    • Date of birth

    • Phone numbers

    • Email addresses

    • TalkTalk account information

    • Credit card details and/or bank details

    We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

    We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.

    What we are doing:

    • We are contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more.

    • We have taken all necessary measures to make our website secure again following the attack.

    • Together with cyber crime experts and the Metropolitan Police, we’re completing a thorough investigation.

    • We have contacted the Information Commissioner’s Office.

    • We’ve contacted the major banks, and they will be monitoring for any suspicious activity on our customers’ accounts.

    • We are looking to organise a year’s free credit monitoring for all of our customers and will be in touch on this in due course.

    What you can do:

    • Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via http://www.actionfraud.police.uk

    • If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.

    • Change the password for your TalkTalk account and any other accounts that use the same password.

    • Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax. Noddle also allows free access to your credit report for life.

    Please be aware, TalkTalk will NEVER call customers and ask you to provide bank details unless we have already had specific permission from you to do so.

    TalkTalk will also NEVER:

    • Ask for your bank details to process a refund. If you are ever due a refund from us, we would only be able to process this if your bank details are already registered on our systems.

    • Call you and ask you to download software onto your computer, unless you have previously contacted TalkTalk and agreed a call back for this to take place.

    • Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security.

    We understand this will be concerning and frustrating, and we want to reassure you that we are continuing to take every action possible to keep your information safe. If you have any questions, please visit http://help2.talktalk.co.uk/oct22incident for more information, or you can call us on 0800 083 2710 or 0141 230 0707.

    Yours sincerely,

    Tristia Harrison

    Managing Director, Consumer

    TalkTalk Telecom Limited, 11 Evesham Street, London W11 4AR. Registered in England & Wales No. 4633015

    1. Elmer Phud Silver badge

      Re: Actual e-mail received from Talk Talk

      So, it's up to you to keep an eye on your account?

      And it's nice of TalkTalk to inform you of how to keep bad at bay, though it would have been better, in this case, for them to actually have had some bloody security themselves.

      1. Dan 55 Silver badge
        Joke

        Re: Actual e-mail received from Talk Talk

        So, it's up to you to keep an eye on your account?

        Why, would you rather Talk Talk did it?

    2. tiggity Silver badge

      Re: Actual e-mail received from Talk Talk

      "Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security."

      Which implies totally insecure practice of storing password in plain text or at best encrypted but can be easily decrypted internally (and so is not really much better than plaintext).

      Not that hashed passwords are safe, but at least more effort is required (and if using salts can be quite secure, esp if salts stored elsewhere so a theft of user "credentials" data needs breach of 2 systems)

      1. Padwah

        Re: Actual e-mail received from Talk Talk

        It's exactly the same at plus.net, I raised a complaint pointing out that there password security was attrocious. One of the highlights of the response was this:

        "Thank you for your further response, in regards to a question where you asked what is stopping our staff accessing you details and taking them out of the office. We are a paperless company so sensitive information cannot be written down. And all of our systems are monitored to prevent situation of fraud occurring.

        In regards to asking for a password we are only allowed to ask for specific letters from your password. A password is between 8 and 16 characters in length and depending on what you use to make up your password indicates its strength, requesting two random characters would not decrease the strength of the password.

        Then there is the fact that our chat services are very secure and only you and plusnet can view what you have written. The reason why we ask for part of your password is because it is the most secure piece of information that only you and Plusnet would know, rather than address, phone numbers, etc."

        1. h4rm0ny

          Re: Actual e-mail received from Talk Talk

          >>"Thank you for your further response, in regards to a question where you asked what is stopping our staff accessing you details and taking them out of the office. We are a paperless company so sensitive information cannot be written down. And all of our systems are monitored to prevent situation of fraud occurring."

          What? Do they have monitors walking up and down between the desks ensuring that there is no paper present and no pens or pencils? I don't believe that response for a moment. Surely they must have been laughing when they wrote that response.

        2. teebie

          Re: Actual e-mail received from Talk Talk

          "We are a paperless company so sensitive information cannot be written down"

          Holy crap!

          Presumably any follow up questions would be answered with 'we do not allow cameraphones in the office and have strict policies against our employees from remembering stuff'

      2. Anonymous Coward
        Anonymous Coward

        Re: Actual e-mail received from Talk Talk

        "We will only ever ask for two digits from it to protect your security."

        Which implies totally insecure practice of storing password in plain text"

        Not necessarily. Each digit/letter could be hashed and salted independently; it would enable this sort of check without saving anything in plaintext or decryptable format. Now as for the odds that TalkTalk indeed did this...

    3. nigel 15

      Re: Actual e-mail received from Talk Talk

      Seems like you should be able to bill them for the time you spend keeping an eye on your accounts.

    4. Anonymous Coward
      Anonymous Coward

      Re: Actual e-mail received from Talk Talk

      ...unfortunately there is a chance that some of the following data may have been accessed:

      • Names

      • Addresses

      • Date of birth

      • Phone numbers

      • Email addresses

      • TalkTalk account information

      • Credit card details and/or bank details

      WTF do they need your date of birth?

      1. Lostintranslation

        Re: Actual e-mail received from Talk Talk

        To send you a happy birthday email, including an invitation to enjoy more of their fantastic services?

      2. JLV Silver badge

        Re: Actual e-mail received from Talk Talk

        +1

        DoB probably has to do with minors and things they can/can not do.

        However, what about:

        - not asking for DoB for that purpose and asking for a Month/Year of birth instead? I made the same remark on my last census survey - month is plenty specific enough.

        - how about everybody else clueing in that DoB is a lousy way to confirm identity, just like your mother's maiden name? Yes, it might have been usefully obscure information 30-40 years ago but now we have all sorts of basic info leaks and searchable genealogical databases can show up some pretty obscure family stuff as well. You shouldn't be getting penalized because some nimwits insist on issuing a CC with only cursory checks.

    5. Terry 6 Silver badge

      Re: Actual e-mail received from Talk Talk

      We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched

      What a terrible weasley way to put it.

      Not, sorry we were opened up, but just sorry it's being investigated.

    6. Whiskers

      Re: Actual e-mail received from Talk Talk

      I got that email too. In HTML only - no seperate text-only part - with plenty of 'remote images' and clickable links, all to http:// URLs not https:// so anyone who's looking at their web traffic will now be able to collect even more information about their customers. (Not from me of course - my email client extracts plain text from HTML and ignores the rest).

      TalkTalk only provide my landline telephone service, using BT infrastructure not 'LLU' - they aren't my ISP and never have been. Looks as though I'll be changing telco sometime soon ...

    7. teebie

      Re: Actual e-mail received from Talk Talk

      "TalkTalk will also NEVER:

      • Ask for your bank details to process a refund. If you are ever due a refund from us, we would only be able to process this if your bank details are already registered on our systems."

      'For your convenience we hold these details, in an unencrypted form, on a database that is probably on the same server as our http website.'

  13. Sgt_Oddball Silver badge

    Welp that answers alot

    Interview on the radio over lunchtime had the MD mentioning about an SQL injection attack.

    If thats the case, it doesn't matter if the database was encrypted or not (note, encrypted, not hashed). If you can get a direct line to run queries, then unless the data is hashed as well (rendering it pretty much useless for anything other than confirming details like a password or username, unless I've missed a trick there) they've pretty much got the keys to the kingdom.

    Also, if true then what sort of trained gibbon do they have running their IT to fall prey to the most basic of basic attacks? Secondly, data siloing, ever heard of it?

    1. Chris Miller

      A tad harsh

      SQL injection may be old hat, but it is an example of weak validation of input data (see also XSS). If your site contains many thousands of web pages, the chances that there will be examples of such errors are rather high - in my experience it's unusual for a web application vulnerability assessment not to turn up multiple occurrences, whether they have the potential to be a major or a minor breach is largely down to luck.

      [Inevitable Bobby Tables reference]

    2. nsld

      Re: Welp that answers alot @Sgt_oddball

      "what sort of trained gibbon do they have running their IT"

      One that seems to need a lot more training!

  14. astrax

    DBFA

    It might be a distributed brute force attack. The sudden deluge of traffic would (prima facie) suggest a DDoS attack, so the fact data was being leaked wouldn't necessarily be observed if the sys admins are running around like crazy to try to deal withthe problem they *think* is happening. In any case, customer data was not protected as it should have been.

  15. Warm Braw Silver badge

    I'm sure former Tesco phone/broadband customers...

    ... are feeling particularly aggrieved today.

  16. mdr_reg

    TalkTalk are completely incompetent

    TalkTalk are completely incompetent, and this news doesn't surprise me in the slightest. Recently, I've been migrating my Mum's email away from TalkTalk as a.) they're useless at spam filtering, and b.) Emails are taking up to 24 hours to rattle through their systems. Looking at the SMTP headers, mails just seem to disappear into a black hole for up to a day. If their mail infrastructure is anything to go by, a "DDoS" attack may have just been a few script kiddies reloading their home page and crashing the ZX Spectrum it's probably hosted on. Oh, and if you try and leave them, expect to still be billed and threatened with baliffs for months after you cancel your contract.

    1. Elmer Phud Silver badge

      Re: TalkTalk are completely incompetent

      They are not incompetent.

      They are consistent -- there is the Tiscali effect.

    2. E2

      Re: TalkTalk are completely incompetent

      Registered specifically to endorse your statement.

      Hassled several times a day from some arseholes in the Philipines who did not even have reference to the UK credit control converations that had the process on hold while they verifies that Idid not owe money.

      Statements from TT in the post threatening action had no registered company name and adresss, onlt the tradign name that I traced on the web. Companies House sadi I could report it to "technical offenses" - they should be chopping the legs off major companies deliberately doing this so that you have to go through their offshore call centres.

      Strangely the only decent people in the process were the debt recovery agency.

  17. badger31

    Woop! There it is.

    The ransom demand has just been issued. Your move TalkTalk, although I don't see what good paying up will do.

  18. Elmer Phud Silver badge

    Things move on . . .

    Now TalkTalk are being asked to cough up to get thier stuff back . . .

    Where's the popcorn icon?

    (my sympathies to anyone affected by this - especially if they really have got your info)

    1. Androgynous Cupboard Silver badge

      Re: Things move on . . .

      Get their stuff back? This doesn't include their reputation, presumably.

      1. illiad

        Re: Things move on . . . (reputation)

        It is a crying shame, that 2, or even 1 month later, the 'standard idiot' will have forgotten about the incident, and think 'hey that's a good deal, the ad looks lovely...' :O

  19. Anonymous Coward
    Anonymous Coward

    I would love....

    ...the credit card companies and the ICO make a true example of them and hit them with maximum fines. That would really put the pressure on them and hopefully see a few heads roll at the top.

    But of course, the ICO are likely to say "We've had a word with them and they said they won't do it again".

    1. TVC

      Re: I would love....

      I believe that the penalty for non PCI-DSS compliance can result in the ability to process such information being removed by the bank - end of business?

  20. Jason Bloomberg Silver badge
    FAIL

    CEO on Newsnight

    Talk Talk's CEO Dido Harding on Newsnight last night appeared to be spouting this sustained DDoS had led to data being stolen nonsense. I just put it down to her not having a clue, having not had things properly explained to her, or simply confused. It certainly looked like Talk Talk were in a state of panic. At one point I could have sworn I heard her suggest all customer data had been taken..

  21. Anonymous Coward
    Anonymous Coward

    Scandalous ignorance by Talk Talk.

  22. This post has been deleted by its author

  23. Faszination

    The End - hopfully.

    Just another chapter in history for this company staffed ostensibly by a bunch of cowboys - playing fast and loose with customer's private data.

    Hopefully this will be their downfall, the industry just doesn't need a shower of morons like Talk Talk.

  24. Tim Brown 1

    data already being used?

    Don't know if it this is related but our spam filters have picked up a batch of spam/malware emails all being sent from several different @talktalk.net email addresses to what appears to be a list of emails in address books.

    Could just be a co-incidence or someone may already be exploiting the stolen data.

  25. 0laf Silver badge

    Might have been a couple of attacks ongoing, one being a loud distraction whilst something more subtle was actually slurping data while the managers run around screaming.

    However Talk Talk hardly has a stellar reputation for customer service or straight talking.

  26. Alfie Noakes
    WTF?

    Coincidence?

    My Dad is with TalkTalk, and several weeks ago they sent him an e-mail offering F-Secure "SuperSafe Boost" for "a tiny £2 a month". He did not take up the offer.

    Then, just over a week ago he received an (unsolicited) e-mail directly from safeavenue@f-secure.com (confirmed by the headers and not just the "From:" address) , greeting him by name and offering what looks like a free 8-seat licence for "F-SECURE SAFE!".

    So if TalkTalk have passed on his e-mail address and name to a third party, what else have they given away without permission?

    mb

  27. JimboSmith Silver badge

    Warn your old and technically illiterate relatives that there might be problems

    Interestingly my parents are with Talk Talk through them having first signed up with Homechoice, which was in turn bought by Tiscali, which was bought by Talk Talk. They still have a Homechoice email address and I've warned them to be on the lookout for odd bank transactions and to change passwords etc.

    However a long while ago I had the misfortune to have to contact Talk Talk customer technical support because the broadband was dead and I was getting complaints. I had already identified that the cable (they live somewhere rural with a telegraph pole supplying their landline/BB) from the pole to the house had suffered a direct hit from something (we thought a lorry) and was no longer connected to the house. I started the phone call informing the support bloke of this and asking for a BTOpenreach engineer to visit and fix it. When asked if there was an email address that they could be contacted on that didn't rely on their broadband being functional I said yes dodderyoldfolk1922andabit@Homechoice.co.uk which is available on their smart phones.

    Bloke: "No you mean @talktalk.net don't you"

    Me: "It's what I just said it was and I can spell it out phonetically if you need it."

    Bloke: "You might want to switch to a Talk Talk email address you know"

    Me: "Why?"

    Bloke: "Well that domain's quite old you know"

    Me:"So are my parents, and that's why we don't change things if at all possible. What does the age of the domain of the email address have to do with anything anyway?"

    Bloke: "Well you know.......it might get switched off due to its age. We can't support everything indefinitely."

    Me: "How long have you worked in this job"

    Bloke: "A while"

    Me: "Do you have any qualifications in anything IT related?"

    Bloke: "I'm not sure I'm allowed to answer questions like that"

    Me: "Okay, can Talk Talk not afford to keep the payments up on the homechoice.co.uk domain? It's not really that expensive is it? My domain name is a .com and only costs ~£10 a year."

    Bloke: "I can't comment on the company or finances"

    Me: "Okay then, any news on when you can get BTOpenreach to send someone round to look at the external cable?"

    Bloke: "We have yet to determine where the fault has occurred"

    Me: "Well the first step I would have thought would be to reconnect the landline through which the broadband reaches them wouldn't you? Would you like a picture of the cable hanging down from a telegraph pole to confirm it?"

    Bloke: "................We'll send details of the first appointment available in an email to that address"

    Me: "Thank you, I have to go now my head hurts".

  28. pstiles

    Oh well, Life's What You Make It

    Can't escape it.

  29. Mark Dirac

    ICO no better

    I've not been able to get anywhere with Talktalk since their August hack of my data. So today I went to report my concern at the website of the Information Commissioner's Office.

    1st question - Have you contacted the organisation? Yes.

    2nd question - Have you received a full response? No.

    At this point, the form terminates and I am advised to contact Talktalk. I phoned the ICO for advice and the telephonist told me they always advise that people should answer "yes" to Q2, even though the truth is "No", in order to be able to continue with the form!

    What chaos!

  30. Seonid

    Old news?

    If only they had known about this some time ago...

    https://paul.reviews/value-security-avoid-talktalk/

    1. JimboSmith Silver badge

      Re: Old news?

      That's quite some response he got from the TT lady, I wonder if she is still saying that today?

    2. Dan 55 Silver badge

      Re: Old news?

      So this time last year Talk Talk was following Cameron's best practice for data at rest and in transit. Maybe encryption is useful after all.

  31. Lostintranslation

    This from a "communications" company:

    Mrs Harding (from Talk Talk) added: "I know it feels like a very long time but at Wednesday lunchtime all we knew was that our website was running very slowly, that our email system was running slowly, and that is usually an indication that someone is trying to bombard your systems to get in. So we took the decision to bring down our systems right away, we then spent the next 24 hours trying to work out exactly how someone had got in and what data they had accessed.

    FFS, put someone in front of the microphone who knows what they are talking about.

    1. future research

      "FFS, put someone in front of the microphone who knows what they are talking about."

      Nope, they won't do that. That is not the way of big business or marketing.

    2. jonathanb Silver badge

      This is Talk Talk. They don't employ people who know what they are talking about.

    3. Gordon 11

      "...but at Wednesday lunchtime all we knew was that our website was running very slowly, that our email system was running slowly, and that is usually an indication that someone is trying to bombard your systems to get in."

      They knew that the email system was running slowly on Tuesday afternoon, as I had a ticket open with them about it and the engineers were looking at it. Could that be related? (And my email was back up to speed on Wednesday...)

  32. pewpie

    Same shit different day.

    As usual from ANY telco (yes even your impervious saintly one) it's all just vile bullshit.

    Love the latest update to thier posting about it.. Basically it says latest update 2pm.. and the update consisted of updating the timestamp from 11am to 2pm..

    Fuck em all...

    1. Dan 55 Silver badge

      Re: Same shit different day.

      Are really they all the same? I think I'd be more inclined to trust Zen or A&A over this shower of twatwombles.

  33. tyne

    TalkTalk Business also affected

    Just had my email from TalkTalk business which has confirmed that they-re also affected. Unfortunately they've just copy pasted the email they sent to their residential customers, offering the same hopeless advice.

    Free credit checking services like Noddle don't allow you to monitor your businesses credit file so don't help. Its TalkTalks incompetence that has allowed this to happen therefore I want to know how they plan to implement my ability for me to monitor my businesses credit file without incurring additional cost.

    Like others I also want to know if I can cancel my contract without penalty as I no longer trust their competence. I also want to know how I can go about getting my details deleted from their systems permanently.

    1. Anonymous Coward
      Anonymous Coward

      Re: TalkTalk Business also affected

      Good luck. If you find out, post it.

      thanks.

  34. Michael Jennings

    Carphone and Talktalk: the same weakness?

    Okay, a few months ago there was a breach at Carphone Warehouse (okay, Dixons Carphone), and my personal data was compromised. Now there is this one at TalkTalk, and my personal data has been compromised again.

    CPW and Talktalk are separate companies, but they used to be the same company and one was spun off the other. I suspect they use a lot of the same systems, and share a lot of common code for their customer systems and/or websites. (To add to the complications, both companies are the product of a lot of mergers / acquisitions, so there are probably lots of barely compatible things lashed together as well).

    I wonder if it is possible that both data breaches came from exploiting the same/similar weaknesses. It wouldn't surprise me at all if they did.

  35. Uberseehandel

    sh1t service

    sh1t security

    is there a pattern?

    did0

  36. Anonymous Noel Coward
    Facepalm

    *sigh*

    Don't know how TalkTalk expects me to change my password if they take down the fucking page where I can only change my password...

  37. John Smith 19 Gold badge
    Unhappy

    "How our customers will judge us" as the CEO put it

    Badly I think

    This way to the egress?

  38. mrfill
    Happy

    Miss Marple thinks....

    In this episode, Miss Marple investigates stolen data from a big company in Sometown. It is only when the super sleuth asks exactly when the attack took place, that she discovers the ddos started an hour after the data loss was discovered and a huge shitstorm ensues.

    Stars Grayson Perry

    Should be on BBC3 next week....

  39. Archivist

    A fish rots from the head

    She might like to be called Dido (dildo?) Harding but she is Baroness Harding of Winscombe

    Privileged education, privileged contacts, privileged position.

    And when asked by the BBC whether compromised customers could leave without penalty she fudged her answer.

    I feel blessed to have been born in a position where I can at least reach 1 rung up the ladder, and I work very hard to make sure that each responsibility I'm given, I treat as important as my own being. Some may think I'm mad, but if this person had ethics anywhere close to those, this would never had happened.

    I have many failings too!

    1. jonathanb Silver badge

      Re: A fish rots from the head

      She studied Philosophy, Politics and Economics. Not sure how that qualifies her to run a telecoms company.

      1. John Smith 19 Gold badge
        Unhappy

        "She studied Philosophy, Politics and Economics."

        Which seems to be the course de jour for heads of MI5 and MI6

        Hmm.

        But basically learning how to write essays to prove (convincingly) that White is Black and vice versa, or why grinding the faces of the poor is essential to their (long term) economic well being.

        Useless in any real work environment but quite handy for certain kinds of companies and the civil service.

        You may (probably are) talking complete b**locks, but you will sound convincing with it.

        Wouldn't be be handy if there were a collated list of all graduates of PPE course in the UK you could refer too?

        1. Anonymous Coward
          Anonymous Coward

          Re: "She studied Philosophy, Politics and Economics."

          "Wouldn't be be handy if there were a collated list of all graduates of PPE course in the UK you could refer too?"

          Will

          https://en.wikipedia.org/wiki/List_of_University_of_Oxford_people_with_PPE_degrees

          do for a start?

      2. Anonymous Coward
        Anonymous Coward

        Re: A fish rots from the head

        "She studied Philosophy, Politics and Economics. Not sure how that qualifies her to run a telecoms company."

        PPE is more usually a qualification for people who think they're entitled (cf qualfied) to run the *country*, not just run one of the consistently poorest-performing (in CS terms) telcos on the market.

  40. Valarian

    Wow. Just ... wow.

    Pass the popcorn please, this one's going to run for a while.

  41. Lostintranslation

    Here we go again...

    "Asked by the BBC whether customers’ bank details had been encrypted by TalkTalk, [Dido Harding] said: “The awful truth is I don’t know"

    http://www.theguardian.com/business/2015/oct/23/talktalk-hacking-crisis-deepens-as-more-details-emerge

  42. J J Carter Silver badge

    Only one outfit could be this inept...

    Did the Hoxton hipsters from GDS have a role in 'imagineering' the the web site?

  43. ApatheticPlatypus
    FAIL

    Oh well yet another large company p0n3d my data

    This is a little bit boring. Honestly you would have thought lessons were learnt from other large companies losing customer data. There were lots of signs before this happened i.e. an increase in the number of fake talktalk phishing calls customers were receiving (yes I was one of them).

    Now I have yet another company telling me my data has been lost to who knows who. Would be nice if they could lose a license to ISP or something. Then have to go through a stringent set of checks before they were allowed to ISP again - footing the bill to transfer their customers to other more competent ISPs until they were relicensed. This would definitely put these companies off skimping on security! Probably only get a small fine which isn't much of an incentive for not stopping this kind of thing in the future.

    On the plus side the phishing call I received did amused me:

    Scamguy: Hello this is talktalk there is a problem with your router

    Me: Sorry that's absolute rubbish, let’s start again, you say you are from talktalk yes?

    Scamguy: You are stupid <hangs up>

    (Yes I phoned talktalk to check it wasn't them)

  44. TVC

    How many really comply with PCI-DSS?

    Having actually read the PCI-DSS standards I find it hard to believe that everyone who stores card data actually complies. Hole in the wall outfits will often store such data in Word or Excel files or on bits of paper and larger outfits will store them in proper systems but without encryption. Doubt many chief execs or even information officers even know what PCI-DSS is.

  45. Slx

    I think people sometimes forget that many of these consumer telcos are just brands. They're plugging off-the-shelf routers, servers, voice switches together or even buying in the services from other companies and they're using BT OpenReach in the UK or OpenEir here in Ireland or other equivalents elsewhere to provide their access networks to actually reach end users.

    Most of them outsource their IT, outsource network maintenance to vendors etc then they go as far as outsourcing their customer contact centres too.

    I'd be surprised if they have much IT ability internally. They're basically just marketing and retail operations.

  46. Daniel Bower

    I hope TalkTalk are the subject of the police enquiries

    Looking at what has happened here and given that the CEO of a major ISP didn't appear to really know what 'encrypted' even means never mind whether customer data actually was the police should be investigating TalkTalk for criminal negligence.

    Dido is trying to make out she (they) are really sorry but these are really nasty criminals when in fact she is clueless about what happened and how. And isn't this the same lady who was nuzzling up to Claire what's her face when all the porn filter stuff was all the news. Christ she can't keep her own company safe online never mind my child. She needs to go - quickly.

    It could have been some Jihadists in Russia or it could have been a script kiddy in their bedroom by the looks of things.

    Truly disgraceful operation

  47. GJC
    Thumb Up

    Talk talk finally to employ encryption

    Having just bought state of the art encryption device:

    http://www.theregister.co.uk/2015/10/23/enigma_machine_4_rotor_sale/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019