back to article TalkTalk downplays extent of breach damage, gives extra details

TalkTalk has finally provided some information on the amount and type of information breached in last week's cyber attack, downplaying the size of the incident. "[Our] responsibility last week was to inform all customers as quickly as possible" began the company's statement, despite the thorough lack of expedition in the …

  1. Anonymous Coward
    Anonymous Coward

    The headline picture just makes me want to reach for the nearest half dozen eggs or rotten bit of fruit and hurl it at the screen.

    Didi the dodo, go go a now now.

    The face complete corporate indifference toward the customer.

    1. Camilla Smythe

      Allow Me..

      Gimp|Iwarp

      ...Erm... Nope.

      ...Erm... Nope.

      ...Erm... Nope.

      ...Erm... Nope.

      ...Erm... Nope.

      Bugger!1

      ...Erm... Nope.

      ...Erm... Nope.

      ...Erm... Nope.

      That's strange. Every attempt improves her.

  2. Anonymous Coward
    Anonymous Coward

    "highly unlikely event that a criminal attempts to defraud them" sorry but birthdate is incredibly sensitive and useful for identity theft. Its not highly unlikely at all, in fact it is very likely that this infomation will now be used!

    Its not up to talktalk to judge how important people's private details are, they should be taking the proper precautions to protect the data as they have a duty by law to do so and if they don't receive a significant penalty for this it is saying to other companies that they can cut corners and not bother looking after our data properly too.

    After being hacked twice recently they should be on guard now more than ever and yet it is so lax a couple of 15 year olds can get in!? If the words 'appropriately protected' in the law need a less vague definition let us start defining it now by saying this was not appropriate protection!

    1. Badvok

      "sorry but birthdate is incredibly sensitive and useful for identity theft"

      Yes, it is one of the factors used in identity theft, however given a full name to work from it is very, very easy to obtain from public records.

      1. Anonymous Coward
        Anonymous Coward

        "...given a full name to work from it is very, very easy to obtain from public records."

        Yes, but if you've been given 1.2m ready made name/addresses/dob combos on a plate, that's easier than looking up 1.2m names and addresses.

      2. auburnman

        Economy of scale. If criminals have access to a thousand real names they are less likely to do anything with them as they'd have to look them up in public records manually or pay an underling to do it, which would take a while, cost time/money and possibly attract attention. Give them a thousand names with birthdays already associated with them, and there's more likely to be trouble for some poor souls.

      3. Anonymous Coward
        Anonymous Coward

        Birthdates Not So Private

        And many people willingly post their's on Facebook and don't secure it, go figure...

  3. Anthony Hegedus Silver badge

    She's not telling the truth

    The truth is that the bank account details CAN easily be used by criminals; they just sell things like insurance policies from reputable companies to punters in a pub, at ultra cheap prices. The crims use the stolen bank account details to set up the direct debit, the insurance company sends out the policy to the unsuspecting punter, the punter pays the crims, and the crims run away and hide. A few days later the insurance company realise it's a fraud and cancel the agreement.

    And the names and emails and phone numbers can be easily used to call up the customer and convince them that they're calling from talktalk. And because they're indian call centres, the customer won't suspect a thing - they sound just like talktalk's real call centres.

    Now what talk talk should do is let ANYONE leave them without contract penalties and they should start to wind up their indian call centres. No less than that.

    1. Richard Parkin

      Re: She's not telling the truth

      "Now what talk talk should do is let ANYONE leave them without contract penalties " doesn't solve anything as they still have your details, as has been discussed here you are now an ex customer. If you cancel anything it should be your bank/credit card account.

    2. albacore

      Re: She's not telling the truth

      I don't see why your first paragraph should be of any concern to a TalkTalk customer. The only person who loses out seems to be the kind of idiot who would buy an insurance policy of some bloke in a pub, ffs.

      Let's get real, folks.

  4. Anonymous Coward
    Anonymous Coward

    If she's "only worried about our customers"...

    Then why is she trying to minimise the breach:

    Less than 1.2 million customer email addresses, names and phone numbers

    That's 2-3% of the adult population of the UK, I'd say that was a significant breach.

    As for the 15-20k poor beggars whose date of birth and bank account details have been spewed, that might be small number (of little people) for the Baroness, but it'd be quite a big crowd if they turned up at her office to have a word.

    So, state of play on the past few months of data breaches in the UK:

    TalkTalk = Incompetent wankers

    Carphone Warehouse = Incompetent wankers

    British Gas = Incompetent wankers

    All other companies = ?

  5. psychonaut

    Less than

    Is that like when they say "up to" when quoting their bb speeds?

    They should change their speed estimates to this format.

    "Yes sir, we will be able to supply you with less than 8mb broadband"

    It would be more accurate

    1. TechnicalBen Silver badge
      Thumb Up

      Re: Less than

      If TalkTalk caused the entire market to be forced to follow that method of advertising, I'd join them just for the irony.

  6. mark 120

    Middle six digits removed? I hope they meant to say that only the first six and last four digits were stored, as otherwise that's a(nother) breach of PCI rules.

    1. Badvok
      FAIL

      Oh dear, how poor maths ability is these days, looks like some can't even do basic maths.

      1. auburnman

        Not all cards are sixteen digits. The vast majority yes, but not all. So removing 6 digits <> only storing 6 + 4.

      2. mark 120

        Evidently

        If you've got an 18 digit PAN, as with some Visa issued cards, and remove the middle six, how many digits are left?

        1. Badvok

          Re: Evidently

          Oh well learn something new every day, since the major two, Visa and Mastercard, only ever use 16 digits and most online shops only accept 16 I made a false assumption that it was standard :(

  7. JeffHome

    Lemme help out with that press release Talk Talk

    - More than 20,000 unique bank account numbers and sort codes

    - More than 27,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)

    - More than 14,000 customer dates of birth

    - More than 1.1 million customer email addresses, names and phone numbers

    1. Timmy B Silver badge

      Re: Lemme help out with that press release Talk Talk

      A fine piece of editorial work there. But don't expect a job offer from Talk Talk any time soon...

    2. h4rm0ny

      Re: Lemme help out with that press release Talk Talk

      This might be cynical but who checks that these figures are correct? And would we hear about it if they weren't?

      For all that I know (and this is probably right), these figures are some sleep-deprived IT person pooring through logs and saying "well if this, then probably that..." Which is fine, but is there some sort of proper investigation that takes place that would inform us if said IT person were wrong? Or TalkTalk had slanted the truth?

  8. Gnomalarta
    Thumb Down

    Customer Service

    I still can't get to my account to find out how long it is until I can leave the careless data shippers!

    1. maffski

      Re: Customer Service

      The contract you signed included clauses based around data protection - unless they can be be sure your details were not in those copied then you may be able to claim breach of contract by Talk Talk - MSE

      1. LucreLout Silver badge

        Re: Customer Service

        you may be able to claim breach of contract by Talk Talk

        I'd just tell them they breached the contract, cancel further payments and explain that if they tarnish your credit rating or refer the matter to debt collectors, then you will sue. Chances are good they'll sod off at that point. If they don't, then just sue them because the odds of TalkTalk wanting to appear in public court over this issue are slim to none.

  9. Ol'Peculier
    Mushroom

    Less than 21,000 unique bank account numbers and sort codes

    21,000 too many.

    Less than 28,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)

    Less than 21,000 unique bank account numbers and sort codes

    28,000 too many.

    Less than 15,000 customer dates of birth

    Less than 21,000 unique bank account numbers and sort codes

    15,000 too many.

    Less than 1.2 million customer email addresses, names and phone numbers

    Way, way too many.

  10. Simon Davidson

    Luhn Check to Retrieve card details

    I don't understand how they say credit card details are safe if they have only masked 6 digits. It would be relatively trivial to work out valid remaining numbers by simple luhn checking. Find a particular card that has relatively few valid luhn options (using the existing details) and reverse the encryption based on that. I believe PCI-DSS should be much more restrictive than it currently is and not allow masked details to be included in the same detail as the encrypted card number as you are basically making breaking the encryption easier.

    1. Alister Silver badge

      Re: Luhn Check to Retrieve card details

      believe PCI-DSS should be much more restrictive than it currently is and not allow masked details to be included in the same detail as the encrypted card number as you are basically making breaking the encryption easier.

      I think you are misunderstanding.

      The encryption is applied to the stored data, which is only the first 6 and last 4 digits. There (should be) no circumstance where the full card number is stored in any format.

      Whether Talk Talk followed this is, of course, open for discussion.

      1. albacore

        Re: Luhn Check to Retrieve card details

        This doesn't make sense. What would be the point of storing only a partial card number? Surely you need the full card number if you are going to use it.

        Perhaps you could point to the pci statement that backs this up. Or explain how Amazon manages get payments authorised without storing the full card details?

        1. DaLo

          Re: Luhn Check to Retrieve card details

          "Or explain how Amazon manages get payments authorised without storing the full card details?"

          Yes you can store full credit card details with encryption and expiry dates. You are not allowed to store the CV2, even if encrypted, with the credit card number.

          However, you can make further transactions, as a retailer, using existing card details. You store the basic card details - masked and associate with an ID. When a customer confirms that they want to pay using Visa 44433xxxxxxx1111 you send the request to your merchant services using the ID instead of the actual card number (which you don't hold). Your merchant services company uses this ID to actually send the card details on to the acquirer to make payment. This is ID is linked to you as a merchant and could be used by other companies as a separate merchant/ID combination will point to a different card number. It can also be set to expire after a certain length of time to make it temporary, a different merchant would not, generally, be able to process that ID though so stealing it has little benefit.

          The IDs are also generally the same style as a credit card number and pass the Luhn check so back end systems can accept them with little or no development work.

          It's called tokenisation.

      2. Matthew Hall

        Re: Luhn Check to Retrieve card details

        I think *youre* misunderstanding here. Storing the full PAN is perfectly acceptable within the PCI DSS. Storing it unprotected is not however. Protection can be provided through hashing, encryption, tokenisation, etc. Masking the middle digits essentially makes the information useless for fraud, as it is no longer cardholder data.

    2. Andy france

      Re: Luhn Check to Retrieve card details

      The reason why you don't understand is that you don't understand Luhn codes. The Luhn code is a single digit appended to the number. Luhn codes are intended to catch common typos. They can detect/correct a single digit error or a pair of transposed digits but are not capable of supporting Hollywood style hacking magic.

    3. Anonymous Coward
      Anonymous Coward

      Re: Luhn Check to Retrieve card details

      That wouldn't really work in reality. If you had the first 6 and last 4 digits and then filled out the middle six with all possible combinations you'd create 1 million possibilities, with 100,000 passing the luhn/mod10 check. You've got no idea which ones are valid until you try to authorise them with an acquiring bank. You could generate all possible 10^16 credit card combinations and do the same, but you'd never get any authorised against an acquirer for a transaction with no further authentication data (CVV/Expiry/Name/Address, etc).

  11. Anonymous Coward
    Anonymous Coward

    But... where are the lawyers?

    And the class action lawsuits....

    Oh silly me, this is not allowed here.

  12. Anonymous Coward
    Anonymous Coward

    Good faith from Talk talk

    in a gesture of good faith, and to reassure it's customers, Talk Talk has decided to publish the same details for every single manager.

    Wait, I got that wrong ...

    1. h4rm0ny

      Re: Good faith from Talk talk

      I don't think that would be a good idea. I mean if you know the TalkTalk manager's date of birth, you probably know their password and PIN, too.

  13. Your alien overlord - fear me

    So, the figures show that they only have about 20,000 paying customers. The churn is 1.2 million customers and like Madison Ashley, they keep your name, email and phone number to sell to scum rather than deleting it when you leave.

    This is why TalkTalk was so dismissive that it was a massive breach, they don't really have a massive customer base.

  14. JimboSmith Silver badge

    I would love to get my folks off of Talk Talk, the problem is they have an email with TT and being old making any changes to anything technical like that will cause untold problems for them.

  15. Chronos Silver badge
    Flame

    Why the giddy frig...

    ...does an ISP need your date of birth? You're obviously old enough to be paying the sodding bills. At some point there has to be a stop put to this nonsense of dragging as much personal data out of customers as possible. You can't even buy a Mars bar these days without some pillock wants your post code and inside leg measurement.

    Also, why was this data Internet facing? If you must have someone's date of birth, they're not going to want to change the bloody thing in "My Account" are they? Oh, sorry, I'm a reborn Christian. My new date of birth is...

  16. Captain Badmouth
    FAIL

    Reading between the lines...

    "To date, two teenage suspects, a 15-year-old and a 16-year-old, have been arrested in connection with the incident."

    To date, one middle-aged suspect with a technical mental age of a 5-year-old has not been arrested in connection with the incident.

    Fixed, with apologies to 5 yr-olds everywhere.

  17. O RLY
    Headmaster

    "Fewer than", not "less than".

  18. Maldax

    Lock your credit records

    You should be able to lock your credit record so any credit check will be refused. Then when you do want and credit log on and unlock it! (All my idea and I will sue)

    1. VeryOldFart

      Re: Lock your credit records

      Good advice - these details will be out there forever - I did the same thing after the Anthem hack. - please don't retroactively sue me ;)

  19. Kaltern

    Just found an unauthorised transaction for Orange Home on my account (£93), on a debit card that was destroyed a long time ago. Oddly enough , this card was used when I had a TalkTalk Business account.

    Coincidence?

  20. Spiny_Norman

    Is it just me or does Dido look especially like a bloke in drag in the picture for the article?

  21. ThorWarhammer

    Ah Dido Dildo Lilo whatever your name is this makes it all OK then

    Still pretty crappy for all your clients who've lost sensitive info due to your 7 mil a year paycheque, that's taken a chunk out the security budget!

    Oh & ask the Transvestite, who's just been switched out of the mens prison for some styling and make up tips, she can help you no end..

    Back off to watch the rugby now.

  22. Captain Badmouth
    Facepalm

    News just in..

    According to the papers this morning (Sat.), one group of "hackers" accessed a TT admin a/c with user name and password of "tim".

    So does Tim get a rocket up the a**e or a promotion, out of harms way?

    Inquiring minds want to know.

  23. albacore

    Does anybody here have a clear idea of the nature of this breach? How was it achieved? I can't help thinking that quite a lot of the debate is down to different assumptions about what has happened.

    1. dd88ddd

      They've said openly that is was a SQL injection attack

      reported by el reg no less:

      http://www.theregister.co.uk/2015/10/26/talktalk_sequential_attack/

      1. albacore

        Thx dd88ddd

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019