back to article TalkTalk hush-hush on compo for up to 4 million customers after mega cyber attack

TalkTalk boss Dido Harding went from one Blighty news broadcaster to another on Friday, admitting that the budget telco had screwed up but declining to commit to compensating customers affected by the major criminal attack on its system. The ex-jockey claimed that it was too early for TalkTalk to know the extent of the …

  1. Zog_but_not_the_first Silver badge
    Facepalm

    "Management" 21C style

    If it's steady as she goes, trouser massive pay and bonuses. If something goes wrong, it's somebody else's fault.

    What do these people do?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Management" 21C style

      What do these people do?

      I don't know, but apparently it was worth £6.8m last year.

      Nice work if you can get it.

  2. Mark Allen

    Scam Emails

    So when will be the first batch of fake phishing emails with TalkTalk logos on them?

    If I was the scammer I would be readying a whole batch of emails "From TalkTalk Compensation Team" asking customers to login to my fake talk talk site to hoover up even more data. I expect wording the emails as a claim for compensation should hook a good number of people in.

    This is going to be an interesting few months for TalkTalk customers.

  3. Lysenko

    Fantasy CEO...

    "I've been looking through the departmental budgets and obviously I'm missing something: at first glance it appears we are spending more on marketing and executive bonuses than on security!

    Obviously that's insane so, like I said, clearly I'm missing something?

    ... I AM missing something ... right ??!!??"

  4. Warm Braw Silver badge

    And they're pushing customers towards "Noddle"

    As part of the "mitigation" for the breach, TT are offering people a year's free "credit alerts" if they sign up with Noddle. What they don't appear to be telling their customers is that Noddle partly finances its "free" basic service by targeting you with advertising (you will be provided with money saving offers and vouchers online) and encouraging you to participate in their "confidence rating" service which will direct you to products provided by carefully selected third party providers, including credit cards and loan products.

    For a further fee, which isn't part of the TT deal, Noddle offers its Web Watch service which provides notification if your personal data is being traded or being sold fraudulently on the Internet, chat rooms, bulletin boards and file sharing sites. However use of this service involves the transfer of your information outside the European Economic Area [specifically, to the US].

    I'm not sure this is the kind of "identity protection" TT's customers might have chosen for themselves. There does seem a possibility they may be exchanging TalkTalk for StalkStalk.

    1. david bates

      Re: And they're pushing customers towards "Noddle"

      Which reminds me... Seeing as I and many other people have pointed out the potential problems with Plusnet security, and have been informed that is safe I need to write to them and point out when they get hacked 12 months free with a credit check agency is NOT going to cut it.

      1. Anonymous Coward
        Anonymous Coward

        Re: And they're pushing customers towards "Noddle"

        Seeing as I and many other people have pointed out the potential problems with Plusnet security, and have been informed that is safe

        Write a letter to the ICO. A proper, paper letter, addressed to Christopher Graham. Copied to Plusnet's company secretary. That should spark some interest.

    2. Anonymous Coward
      Anonymous Coward

      Re: And they're pushing customers towards "Noddle"

      if I were more into conspiracy theories, I'd go further to suggest Noddle was behind it, to steer business their way, expanding the customer base in new, creative ways :)

    3. Anonymous Coward
      Anonymous Coward

      Re: And they're pushing customers towards "Noddle"

      And besides that, I've taken up on the 'free for one year' noddle offer for alerts from TT. Only to see that whilst Noddle got my current account and credit card, it doesn't show my mortgage and mobile phone.

      So what confidence is there that it actually provides the correct alerting.

  5. Your alien overlord - fear me

    On Saturday morning on the local radio station (via Sky news I think), there was a woman who claimed her bank account had been wiped out and left her overdrawn. Time for Dido to do something.

    1. Anonymous Coward
      Anonymous Coward

      You believe it?!!!! The information allegedly leaked did not include bank passwords, to which Talktalk have no access.

      1. Anonymous Coward
        Anonymous Coward

        You believe it?!!!!

        It's possible. Remember how Clarkson challenged world + dog that just knowing his account number wasn't a security risk, and was then proved wrong?

        http://www.telegraph.co.uk/news/uknews/1574781/Jeremy-Clarkson-eats-his-words-over-ID-theft.html

        1. Warm Braw Silver badge

          Clarkson

          To be fair, it wasn't really a risk. What happened is that someone set up a Direct Debit in his name. The Direct Debit Guarantee makes it explicit that he'd get his money back immediately - it's there precisely because the conditions for setting up a Direct Debit are lightweight.

          What is a real risk is someone using the purloined identity details to convince the victim to hand over additional financial information "voluntarily" - at which point everyone else will wash their hands of any responsibility - or to blag their way into getting the passwords on banking and similar accounts reset.

      2. BlartVersenwaldIII

        > You believe it?!!!! The information allegedly leaked did not include bank passwords, to which Talktalk have no access.

        Picture the scenario; person with no inkling of good security practice uses the same 10-char password for her TalkTalk account and her bank. TT account gets hacked and reveals her bank, account number, sort code, address, DOB. Probably some lame-arsed security questions too. Attacker now has all of the creds necessary to get access to a bank account, probably enough extra info to change everything else.

        If all the e-cyber i-heists x-haXx0rz of the last ten years have told us anything it's that password re-use is pretty standard. And if the TT hack is as total as their continued silence is making it seem I'd expect a good few thousand people to have their accounts hit in the next few days; if not then it's probably just coincidence and her account was compromised in some other way.

    2. Doctor Syntax Silver badge

      Similar reports in today's (Saturday's) Times.

    3. Ivan Headache

      If it's the same woman I saw on BBC news at lunchtime

      I got the impression rhat she had fallen for some social engineering trick.

      It doesn't take the hack of a database to find out that someone is a TT customer, or their phone number and address. It's also very easy to find a DOB nowadays. Sort codes and account numbers might be a tad more difficult, but we know from Watchdog and You & Yours that people are more than willing to give that info over when asked in a courteous and professional manner.

    4. Gordon 11

      On Saturday morning on the local radio station (via Sky news I think), there was a woman who claimed her bank account had been wiped out and left her overdrawn.
      Well, one report I read was of a woman who claimed to have lost £600(?) last Sunday as a result of this - despite that being a few days before the incident actually occurred (a small detail that seemed to be missed by the reporter).
      Remember how Clarkson challenged world + dog that just knowing his account number wasn't a security risk, and was then proved wrong?
      I do - although no-one has ever explained how information that has been on every cheque that I have ever written could give anyone access to my account.

  6. Dan 55 Silver badge
    Mushroom

    "millions of databases"

    But she later corrected that number to "literally hundreds of databases".

    They are obviously incompetent.

    If I were with Talk Talk I would port out and saying I'm not paying the termination fee if there is one because three hacks in a year, a boss which talks about "hundreds of databases", and the very real possibility of identity theft is not a service which is fit for purpose under the Sale of Goods Act. And if they were to say they're still going to charge me a termination fee for leaving then I would tell them I'm cancelling the direct debit and they can send me an invoice if they wanted to but I'm refusing to pay it and they can take me to court if they still want the money. And then we could talk about the legal action that could be taken against them if any identity theft does occur. Fuck 'em.

    1. Ian 55

      Is leaving them enough?

      Having left them - for reasons that should be obvious to anyone who's used them - last year, I am wondering whether the stolen customer data includes ex-customers and, if so, how far back...

      1. Anonymous Coward
        Anonymous Coward

        Re: Is leaving them enough?

        "I am wondering whether the stolen customer data includes ex-customers and, if so, how far back..."

        I bet they promise to delete your data when you leave them. As all reputable companies do, ho-hum.

  7. Steve 114
    Headmaster

    But Seriously

    Business School case studies examine disasters (we had Singer Sewing Machines - it was that long ago). Now... your name is Baroness Dido - what do you DO? Hindsight is forbidden in your answer, also no paying McKinsey, or doubling salaries for IT grunts. No, very seriously, if YOU want to be a Boss, and even if you didn't bother to clock a PPE between youthful rides, what do you do NOW?

    1. Lysenko

      Re: But Seriously

      1) Get a briefing from IT and Legal so I don't stitch up the company in terms of liability insurance or appear like an idiot by mixing up a DDoS with a data theft and talking about "hundreds of databases" (which I certainly hope isn't true).

      2) Ban Marketing and PR from saying anything (reasons: see 1).

      3) Identify sacrificial goats. This would be whoever proposed the last reduction in "administration" expenses. Bonus points here if an external Management Consultancy or activist shareholder can be hung out to dry. Ideal solution - pin it on Bankers somehow. Remember that the public (i.e customers) like seeing "suits" lynched, not engineers.

      4) Offer indemnities as far as possible, subject to Legal advice. Do not involve anything that the opposition can spin as further ID snaffling.

      5) Offer carte blanche, penalty free early contract termination. Undecided customers will respect it and those who really want out will leave anyway because trying to enforce the penalties would be an even bigger PR disaster and might even fail in court.

      6) Announce credible steps towards future recurrence with a visible hair shirt element. Bonus and dividend cancellations to the fore.

      7) Assume a sharp, short term fall in the stock price. Preventing that is impossible so worrying about it is irrelevant. Adopt a price target for Q2 2016.

      1. Anonymous Coward
        Anonymous Coward

        Re: But Seriously

        Announce credible steps towards future recurrence

        That's what they evidently did after the last two data breaches.

    2. Doctor Syntax Silver badge

      Re: But Seriously

      "No, very seriously, if YOU want to be a Boss, and even if you didn't bother to clock a PPE between youthful rides, what do you do NOW?"

      In her situation, resign. It ought to be expected of her. The interviews on her round of the media should have started along these lines:

      Interviewer: Let me start by congratulating you on your promotion.

      Her: I haven't been promoted.

      Interviewer: But aren't you the new TalkTalk CEO?

      Her: I'm the CEO but I've been CEO since whenever.

      Interviewer: Oh, I'd assumed that a CEO in charge of a shambles like this would have resigned immediately. Let me start by asking you why you haven't resigned.

      1. Vic

        Re: But Seriously

        In her situation, resign

        I' announce my resignation - but 8 weeks hence.

        If she has any integrity whatsoever, her job is toast. But by staying on to deal with the fallout of her bad decisions, she would gain some credibility. And there is no doubt that she would be trying to do the right thing - since she has already resigned...

        Vic.

  8. Allicorn

    Update: As far as we know

    "As far as we know" is not a phrase that carries much value right now, Mr TalkTalk bod.

  9. spot

    What a pack.

    Well there was Dido, Fido, Bonzo and Rex, Rover and Lassie and Spot. There was Butch, there was Candy, there was Patch and there was Sandy, these were the Talk-Talk executive officers what I had got.

  10. Anonymous Coward
    Anonymous Coward

    You could almost believe that businesses are not all the same and hence those at the top cannot move between them at a whim; surely not.

  11. J J Carter Silver badge
    Paris Hilton

    Sack her

    £7m a year and utterly incompetent.

    Paris as she's keen on riding too.

    1. david bates

      Re: Sack her

      Misguided more like. She obviously likes her face on telly, but she'd have been better advised to shut up and look concerned while standing alongside someone who knew what they were talking about.

      She's doing Women in STEM no favours

      1. John Brown (no body) Silver badge
        Alert

        Re: Sack her

        "She's doing Women in STEM no favours"

        She's not STEM, she's PPE. Same as Cameron and most other senior politicians. This is something which needs to be shouted from the rooftops as a demonstration of why PPEs should have no involvement with anything STEM related.

  12. Anonymous Coward
    Anonymous Coward

    As far as we know this isn't connected.

    plain English: I have no f... clue, but I HAVE say something positive!

  13. Fruit and Nutcase Silver badge
    Coat

    Closing the stable door after the horse has bolted?

    Well, certainly there is equine expertise at the top. Better late than never.

  14. alpine

    Storm in a teacup

    Hysteria, encouraged by farcical 'reporters' at the remains of the Telegraph and the Times (very keen to encourage people to move to Sky of course)

    As a happy Talktalk customer for 5 years plus, TT have confirned by email today:

    • The number of customers affected and the amount of data potentially stolen is smaller than originally thought. Our website was attacked, but our core systems weren’t and remain secure.

    • On its own, none of the data that may have been accessed could be used to leave you financially worse off.

    • We don’t store unencrypted credit or debit card data on our site, so any card details which may have been accessed have the 6 middle digits blanked out. For example, it would appear as 012345XXXXXX6789. This means it can’t be used for financial transactions.

    • No My Account passwords have been accessed.

    • No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.

    1. Anonymous Coward
      Anonymous Coward

      Re: Storm in a teacup

      Unfortunately, speaking as someone who has more than a passing insight into this industry, I can tell you now if someone really did gain access to the network there WILL be files on there that have unencrypted information, and there is a chance that that information can be found and used (more likely in a social engineering capacity than direct bank access, but I wouldn't rule that out either). I know - I have seen identical situations with my own eyes (hence A/C).

      The people at the top only care about money they are earning for themselves. The shareholders are only worried about their dividends. They don't give a crap about anyone else, and they WILL cut corners, and they WILL under-invest in areas such as security (which lets be honest is not cheap, but it is necessary).

      If nothing else, I would urge caution.

  15. jtool

    talk talk scam e mail ?

    Im a talk talk customer, just had an email from them advising me to sign up with noddle.

    The email explains how to do this and one of the steps involves entering passwords and banking / financial details ! As if .

    1. This post has been deleted by its author

  16. Screwed

    I've been pinching myself overight. Did I really hear Dido on Radio 4 say something like: "The criminals might have enough information about your bank account to pay in but could not get any payments out".

    Have been trying to imagine all these criminal hacker gangs beavering away to be able to put credits into customers' accounts. Hmm, maybe not.

  17. Andrew Jones 2

    What about ex-customers?

    What I want to know - so far pretty much everything has focused on existing customers - but what details did TalkTalk hold on ex-customers? Do TalkTalk have bank account details in their databases for people who used to be customers? We only left them about 3 months ago - could El Reg possibly find out how long they retain details on ex customers? (We were a business customer, migrated via Pipex and Opal)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019