That Dido photo
I just want to pull that little hair out of the right side of her chin... Does anyone else see that?
TalkTalk is trying and failing to mend its broken customer relationships following the recent mega breach, in one case offering an individual who had £3,500 stolen from his personal bank account £30.20 as a “good will gesture [and] final settlement” by way of compensation when he tried to get out of his contract. Ian …
The first little pig built her house out of straw.
Presently came along a wolf, and knocked at the door, and said:
'Little pig, little pig, let me come in.' To which the pig answered:
'No, no, by the hair of my chiny chin chin.' The wolf then answered to that:
'Then I'll huff, and I'll puff, and I'll blow your house in.'
So he huffed, and he puffed, and he blew her house in, and ate up the little pig.
"Internet comments FTW, or not, as the case may be.
You guys are disgusting."
No, as a shareholder in the company who does not give a monkey's fuck about what it does to the customer as long as it makes me a profit I expect the bint to put some make up on when she has a photo opportunity....... Unless you are suggesting she does not have to because she knows what she is talking about.
Fuck me. Even Theresa May makes an effort.
I wonder how many customers they will have left in 6 or 12 months time? And if they do have any, why? If I had been a TT customer I would be leaving ASAP, contract or not.
It really is time that CEO's and their direct reports were held to account for their actions or inactions. And all this bull about sophisticated cyber criminals and they have so far arrested a handful of 15/16 y.o's.?? WTF?
"arrested a handful of 15/16 y.o's.?? WTF?"
And we hear nothing about their actions and connections. How did the plods connect these kids actions? Seems like a blind man shooting in the dark...
It feels like these teenagers are the low hanging fruit, and probably only participated in the DDoS, and not the data slurp.
You kids light the bag of shit on fire at the front door.... I'll wait at the back door ;-}
I wonder how many customers they will have left in 6 or 12 months time?
It should be flat dead zero this time next week.
Seriously TT customers, just write to them regarding breach of care, breach of the DPA, and your view that it forms breach of contract. Explain that if they tarnish your credit rating or move what they imagine to be an unpaid breakage fee  you will see them in court. They simply don't have enough money for all of the lawyers they would need, especially as their income would have dropped to near zero, while their staffing, infrastructure, and financing costs remain.
 The fee is a term of the contract, which if you hold they breached it, can't be valid because the contract no longer exists and cannot then be enforceable.
"...Seriously TT customers, just write to them regarding breach of care, breach of the DPA, and your view that it forms breach of contract..."
I've done this a few years back with Virgin Mobile, over their* crappy mobile coverage: Stopped the direct debits and when they wrote telling me they were going to charge me a cancellation fee for breaking my 12 months contract with them, I replied that they'd broken the contract first by failing to provide the level of service claimed in their advertising –and signed off with a metaphorical 'see you in court'.
Never heard from them again.
[*DISCLAIMER: This was a while back. Virgin's mobile service might be better or worse, nowadays]
Seriously TT customers, just write to them regarding breach of care, breach of the DPA, and your view that it forms breach of contract
Correct. All you need is a website and a campaign to gather a sizeable number of wannabee leavers and you can start stomping on the remaining fragments of their reputation in such a public fashion that they'll pay you to end it, because the larger the exodus becomes, the less likely it is that they get enough new
victims customers to fill that hole. When you turn churn into exit only, management will eventually face uncomfortable discussions with shareholders.
Further, if the number is large enough it will get political and Trading Standards will get a hint to start taking a look.
Exit conditions on a telco contract? Except for device amortisation that is, what, the 90s? That alone would have been an argument for me not to go near them. If you are /that/ uncertain about your ability to hold on to a customer you are already planning to underinvest in keeping the services stable. No thanks.
If there is such a thing as a Reg reader on TalkTalk, it might be worth looking at your contract.
If my parents' experience last week is anything to go by TalkTalk is still auto renewing contracts despite Ofcom ruling it illegal. They mentioned this to TalkTalk and any talk of penalties suddenly ended and lots of really nice offers started coming their way - but they left TalkTalk and made sure Dido knew it was because they couldn't trust the company.
> Seriously TT customers, just write to them regarding breach of ...
But the problem is that a few of us here understand the law enough to do that, but the vast majority :
a) Have no idea of what their rights are
b) Suffer from the "English disease" of being too polite to tell even an outfit like this where to go
c) Are really afraid of the other side taking them to court and it tarnishing their reputation or credit rating
I have seen this first hand more than once, sometimes with people you might think would know better.
As to automatically renewing contracts, I don't think they do that. But they have a cleaver way round that prohibition. When said contract is coming up to the end of it's fixed term, they contact the customer and offer them a "free upgrade" os some sort. With my SO, the previous time it was a new router so she'd be ready when faster broadband became available. But of course, what the punter doesn't realise (because who actually reads all that legal mumbo-jumbo ?) is that they're signing up for another fixed term. Sneaky eh ?
I'd been waiting for the previous fixed term to end so I could ditch them (primarily because they won't give a fixed address on residential lines), then one day I get home to the news that "We're getting a new something or other from Talk Talk" <insert slaps-head icon here>.
Yup, they'd done the same trick again, have a "free" Youview box, it's really £50 but we'll waive that in return for a ... wait for it ... TWO YEAR new contract.
Well my response was not complimentary about Talk Talk, and of course, the law gives us a 14 day cooling off period and I made sure it was cancelled. The conversation was "interesting.
I said we wanted to cancel the new contract and return to what we had
I'm not tying us into a 2 year contract
18 month ?
I suspect the "NO" may have been "quite unequivocal", but he just replied "OK" and backed out the changes.
I was waiting until we'd got some decorating out of the way, but this is as good a reason as any for telling them to stuff it now.
"As to automatically renewing contracts, I don't think they do that."
They do. Even when told explicitly not to. They also slam people by trying to upsell in complaint calls and then mark it as accepted even when told in no uncertain terms "NO"
In my case I was able to provide the recording to Ofcom and Surrey Trading Standards of my telling the TT sales droid I did not want my contract renewed. There's a reason I record all calls with business and this kind of shenanigan is it - the practice is not just restricted to TalkTalk.
As for the guy in the original article: He will find that "full and final settlement offer" becomes a _lot_ sweeter the moment he files in small claims against them for the full amount, plus distress. Personally I'd push for 5 times the amount if they want a non-dislosure agreement (and they will).
Any one challenged by talk talk to pay the termination fee, as well as saying "Take me to court", should point out that there would be a jury of twelve ordinary people deciding if they should pay their termination fee or receive compensation.
And then clearly say to them "Do you think there are twelve people in the entire country who are not employed by talk talk and who would find in favour of talk talk??"
>>I wonder how many customers they will have left in 6 or 12 months time?
Most of them. It's long enough most will have forgotten, or will believe it's just "another security breach" like you hear about in the news "these things happen" etc.
TT customers tend not to be IT professionals (though I know some who are)
But just saying that's so won't get you very far. Their lawyers will simply say that's not so.
To get the matter definitively decided you would have to take them to court or stop paying and let them take you to court and use it as a defence or counter claim.
To get the matter definitively decided you would have to take them to court or stop paying and let them take you to court and use it as a defence or counter claim.
Yes, that is correct. Most telcos settle on the digital equivalent of the court steps though - TT certainly can't afford to fight all of their existing customers should they walk enmasse, because they will have no revenue with which to do so. They can't even afford to fight one single case, because they only have to lose once, and a route map exists for others to follow .
I walked away from a certain useless telco a while back, who tried to levy a couple of hundred quid early termination fee. End result - they bottled the court case, cleared my history of black marks, and covered my mail / call / email handling fees which had amounted to several magnitudes of their imaginary fee.
Had I won, they'd have been unable to threaten anyone with a breakage fee again. Its more lucrative for them to tax the stupid and the weak, so they do.  Most people suffer through their contracts which allows the telco to attract replacement mugs, or otherwise back down at the first lawyers letter.
 I carefully avoided the word precedent as small claims court doesn't set these.
 Any fee they claim is part of the contract may not be levied upon a contract which no longer exists. IF you hold that they breached the contract, and call them on it, then the contract ceases to be unless they take you to court and establish its continuance.
And the Supply of Goods or Services Act says that the service must be carried out with reasonable care and skill and the service must be of satisfactory quality and fit for purpose.
Everything that Talk Talk agreeded to do in the T&Cs and haven't done can and should be used against them, but that's not the end of the story. I have no idea why so many people quote the T&Cs as if they were gospel when they are not, your consumer rights always win over a load of one-sided lawyerese with a couple of paragraphs thrown in so they can claim it's not all one sided.
T&Cs yup, they just don't count for jack shit if they go against your statutory rights and for the most part all T&C's mention "except when it interferes with your statutory rights".
Lets face it TT are a bunch of cowboys and it is all coming out in the wash, just waiting for the Tories to realise how toxic this is and bang they are gone, backing porn filters and other close ties just won't count.
> The legal debate about whether they broke the contract... will surely take ages to be resolved before you can legally claim your contract is breached - no?
You can claim breach of contract at the drop of a hat. It's sufficient to inform them, preferably in writing, that they have failed to protect your data in accordance with the DPA and have failed to provide the service with "reasonable care". State that you consider them in breach of contract, and that you consider the breach non-recoverable (they can't un-lose your data).
On that basis, you consider the contract null and void, and therefore no contractual early termination fees are applicable.
Then leave for another provider.
They then have two options.
The sensible option. Accept that they've really foooked up on this and just accept it.
The likely option. They challenge you on it, because they know that the vast majority will back down because they don't know their rights. Assuming you don't back down, the worst they can do is progress it, and if they are really stupid they can take you to court - where they will almost certainly lose (the case) and will absolutely definitely lose out in terms of reputation. They know they'll lose, so they will (eventually) settle - but not before they've tried various methods of harassment.
And on harassment since it's come up. If they aren't too careful, they risk someone prepared to push it with being reported for it which is a criminal offence. So it's worth pulling that one out of the bag at some point along the lines of "Your (solicitors) letters are of a nature which contravenes Section 1 of the Protection from Harassment Act 1997, if I receive any more communications of a harassing nature then I will report the matter to the Police as a criminal act."
Being charges with harassment would be the cherry on the cake of their bad reputation !
Protection from Harassment Act 1997, penalty on conviction is up to 6 months inside.
"And the Supply of Goods or Services Act says that the service must be carried out with reasonable care and skill and the service must be of satisfactory quality and fit for purpose."
There are also the laws about unfair terms in consumer contracts.
One of the reasons TT don't want these termination cases anywhere near the court is that the publicity in having certain clauses deemed illegal would turn the exodus trickle into a tsunami.
You buggered up the security.
You lied to customers about said security.
You then insult customers by not allowing those who wish to leave, a waiver of the fee.
You have technically broken the contract with your customers by not encrypting their details.
Sounds like the making of a class action to me!
Oh and Talk Talk, bit of advice, I really think you need to stop giving away money and spend it on a proper fricking PR dept, 'cos the one you have are complete and utter shite!!
Bronek Kozicki > "2) spend money by hiring security specialist with veto rights on design and architecture of anything facing 3rd party"
That's a good 'un. You should be on 'Live at the Apollo'. Honestly, security experts with authority to stop something? Are you mad? That will never be accepted by the board, it might cost them money off of their hard-earned, well-deserved bonuses. You'll be telling them to treat their customers with dignity and respect next.
Oh and Talk Talk, bit of advice, I really think you need to stop giving away money and spend it on a proper fricking PR dept, 'cos the one you have are complete and utter shite!!
Scenario 1: The "proper fricking PR dept" was sent to the Jobcentre long ago, along with anyone who actually knew something about data protection / IT security.
Scenario 2: There actually is a "proper fricking PR dept" but it's curled up in a corner whimpering at its advice being wilfully ignored.
I am beginning to wonder if the TT board is now paralysed by "Groupthink"; it seems to be fairly small (a judgement based on what I have been able to find on the website) and has probably gone out of its way in the past to sideline anyone who dares to say "hold on a minute..." on the basis of their perceived "negativity". As a result the board has become completely incapable of recognising any mistake made by its members, both individually and collectively. I wouldn't be averse to a small bet that Groupthink has played some part in bringing the current situation about.
As an aside I'm probably not the only person who wants to scream when faced by a picture of the Great Leader; come on El Reg, can you find an alternative, or at the very least get someone to Photoshop a dunce's cap on to her head.
You may well be right about groupthink. This is why the CEO of any company in this position should be expected to walk without compensation (VW got the first bit right). It provides them with a big incentive to keep a close watch on what;s going on in the company and to have that little worry that the person who's "being negative" might actually be the one between you and the one way exit.
"When did that become a feature of English law?"
A few years ago, but the 1 October change is the turning point. http://www.bbc.co.uk/news/uk-34402483
There have been a number of class actions in the last couple of years and there is currently one going forward against Volkswagon. Leigh Day seem to be driving that one and I suspect they'll be the movers and shakers when TT's head is on the block.
Is that the same Ian Rimmington the UFO spotter ?
Perhaps aliens beamed his money away.
Love the prophetic comment at the end of the Video:
It's just disappeared, you're joking me.
I never thought I'd live to see the day my home town got a mention in El Reg and now it's linked with UFOs. I must say I don't know any Rimmingtons and with such a name he probably lives in one of the posher parts even more so if a UFO hovered above his house. I doubt any self respecting UFO would warp over our estate and it definitely wouldn't hang about hovering. That said, it's a grand place.
But is it "Ex Arte" or ex parte?
I think somebody needs a good thrashing from his house master and a good gallop around the quad to aid his diction.
Should that fail a trip to matron, for one of her favoured cough and drop remedies that she likes the older boys to do should suffice.
>Just off Towngate - Milner way/Flushdyke side? I remember when that wer all fields.We used to walk over them fields to Flushdyke school, if we were late, headmaster would smack our arses and if any dust flew up, supposedly indicating we'd been playing he'd whack us some more.
>Storrs Hill - That hill was a bugger at the end of the cross-country.
Aye, and climbing it every day didn't make it any flatter.
@Mike - My father went to QEGS and ended up a lorry driver; my grandfather went to QEGS and ended up a coal miner. Ossett Comp was on the whole I think an improvement; although I didn't attend university straight after school (to the headmaster's annoyance) I was the first in my family to have a Bachelor's or Master's degree.
And you'd prove to the court that your specific losses were caused by the Talk Talk breach how exactly?
Don't get me wrong, TT have been grossly negligent and should be fined a huge amount by the regulator/government and some high level executives should see prison time but there have been data breaches before and I'm not aware of a single case of someone linking a financial loss to the breach.
The chances are that it's pure coincidence this gentleman had £3500 nicked a couple of days after this breach but that's not really the point of this article. To charge him, and any other customers who want to leave, an early termination charge is shockingly bad PR from Talk Talk.
This appears to me to be the key point on which everything in this case rests.
The customer cannot prove that his money disappearing had anything to do with Talk Talk. It happened a couple of days after they lost customer personal details. And Talk Talk do appear to have been really slack in their security. But that's it. There is nothing that definitely shows there is any relationship between the two events.
I know everyone is keen to join in with the pile-on, and perhaps Talk Talk deserve it. But this case of the missing £3.5k is really weak and doesn't stand up to any scrutiny.
You've just let TT set the agenda. The slack security (three times over the last year no less) shows they've not taken the DPA and Supply of Goods and Services Act seriously and are not competent enough to provide the service.
That aside, TT trying to charge a leaving fee after going on record as saying they wouldn't if money was taken from bank accounts on or after the 21st of October allows you to argue they're acting in bad faith.
The burden of proof in the civil courts is upon the "balance of probablities" not the "beyond reasonable doubt" requirement of criminal courts.
Therefore, the fact that TT have confessed to a breach of their IT systems would be sufficient for a District Judge to ask them what, precisely, they know about what was taken. If TT cannot, or will not, answer, a DJ would be within their right to view the claiments loss as one of TT's making on the "balance of probabalities."
Given all of the above, TT would be insane to risk this matter being exposed in a public court so would almost certainly be advised to settle out of court on a non-disclosure basis. I'll lay odds that this is the game they are playing.
a data breach of this magnitude should be considered a priori evidence of the failure of the company to adhere to it's own data protection policy, and therefore a breach of contract.
Can we have a Judge Dredd icon ? (And maybe, following Private Eyes example, a "Judge Dreadful" icon for numpty judgements ?)
If you reading are around, you'll see the Establishment in the English speaking nations, are not too keen on allowing "there was massive snooping/hacking/release of information and you say I have to prove harm?".
I'm not sure I know the answer, but without the negative feedback loop (i.e. via loss of cash), I don't see it improving.
Add to those problems, the irrational blurb coming from the UK/USA politicians magical thinking, and we have chaos being exploited by criminals.
"In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber attack (rather than as a result of any information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees."
The bit about 'rather than as a result of any information given out by a customer' is a nasty bit of legalese that allows them to avoid paying *any* compensation. The fraud only works because customers are convinced that the fraudsters are genuine TalkTalk reps. And the fraudsters are only in that position because TalkTalk failed to secure their data.
As soon as a customer provides a fraudster with *any* additional information on top of the names, phone numbers, account details and some bank details TalkTalk couldn't be bothered to secure - they can't request a no-fee termination of contract.
Has anyone had any success in leaving TalkTalk for claiming a breach of Section 18 of their terms and conditions which says: ‘We’re committed to protecting and preserving any information you give to us.’?
And nothing from Dido about TalkTalk repaying customers' money lost to fraudsters.
"Has anyone had any success in leaving TalkTalk for claiming a breach of Section 18 of their terms and conditions"
Not that section but I simply told them that after several months of failing to provide what they had contracted to (80Mb/s FTTC), they were in breach of contract as the service was unfit for the purpose for which it was sold and if they wanted to try and impose penalties I would take them to small claims for the 13 failed contractor visits at 1/2 day each time and £50/hour during those 1/2 days based on my lost wages and holiday time.
Unsurprisngly, that shut them up, other than a bleat that their T&C had an explicit "we have no financial liability" clause - once I brought up the "unfair terms in consumer contracts" laws they went silent.
My new ISP had replacement DSL in service on day 1 of the contract and when Openreach failed to show up (as usual) they were on the case the same day, resulting in someone arriving within 4 hours of the failed visit (none of the TT "you have to wait 8 days" bullshit) and sorting it out.
Ambulance chasing lawyers when you need them?
In any event, T-T are clearly breaking their promises to waive a termination fee. He should grab a copy of the Website and their response and take it all to the ICO and thence to the court.
T-T are still advertising on TV. Anyone signing up with them at the moment clearly need their head examining.
After all the legislation limiting damages and budget cuts that made it impossible to actually get cases to trial, we bailed on the legal profession and all became IT architects, administrators and developers. Those without the talent to succeed in any of those roles became PHBs.
Personally, at this point I'm thinking a 3rd career as an auditor might be a good move.
And an opportunity for some pay-back.
Credit and debit card details were tokenised, which is a standard higher than encryption
Can anyone explain what this means? As far as I know, there are two ways of hiding sensitive information.
It can be stored as a hash of the plaintext, which can then only be recovered by finding a value that results in the same hash (rainbow tables). This process may be made more difficult by obfuscating the plaintext (salting). I can't see any reason why TalkTalk would store hashed card numbers, since the process is one-way, and the only point of storing the card number is to use it to apply a charge. Alternatively it can be encrypted, in which case the plaintext is recoverable, either by decryption or by breaking the cipher.
If the TalkTalk process "is a standard higher than encryption", what type of encryption is it better than? Caesar substitution? Is it a one-way process, in which case it's basically a hash, or two-way, in which case it's a cipher? Either way, they need to identify the algorithm: it's well known that knit-your-own security solutions are always feeble.
This is a description from Wikipedia https://en.wikipedia.org/wiki/Tokenization_(data_security)
Basically, it's described as a substitution process, so the real information is replaced by a "token" that has no direct relevance to the data it replaces. (e.g. an address replaced by a numerical sequence)
However, if part of the data that was stolen included the database of tokens, then effectively you've handed over the keys to the castle, so bugger all security there.
When you take continuous payment authority on a card the token comes from the payment processor. You then keep the token and throw away the card details. The advantage being any subsequent payments are linked to that token so if it is compromised it can be revoked and the card is still safe. And the payment processor will then also know where the compromise occurred.
"You then keep the token and throw away the card details."
Except they kept partial details because that's what was listed as part of the data that was leaked. And those card details might be enough to persuade the recipient of a call that they're dealing with a genuine trader.
Tony S - yes, though any set up that has been properly designed won't allow access to the 'real' secure data using the tokens without additional authentication and/or IP based filters. I used to use a tokenised payment gateway in a previous life and getting the tokens from us would have been only one part of a pretty extensive hack. Nothing is impossible, but the tokens alone shouldn't be the keys to the castle.
Hard to comment on whether TT have done things properly, of course...
I *think* that what it essentially means is that they aren't storing the card details themselves but pass them on to their payment processor who supplies them with a code (token) related to that card's details, which they can then use to process the payments each month. This way they don't have the same level of compliance testing as they aren't storing card details themselves, and the payment processor *should* only allow transactions using the token to process payments submitted by, and directing payments to, T-T.
My guess would be they are saying there is only a pointer, index or indicator to where the actual credit card data is stored. Having only that data doesn't get you the actual credit card data, and there's no way to tell which credit card data it would be, so therefore safer than encryption which potentially could be decrypted.
Tokenisation is a mechanism by which the secure data (in this case, and usually, the CC number, etc.) are passed to a separate part of the infrastructure (or a 3rd party) and a token is returned as a reference. The token has no intrinsic value, but can be used to utilise the secure data.
The obvious advantage of this is that a breech doesn't give out credit card info in any form, encrypted or otherwise. If someone gets access to the tokens then the part of the infrastructure (or the 3rd party, if one is being used) should only allow access to the secured data for a valid token from a valid source using some properly secured mechanism, making it relatively easy to secure the confidential info e.g. by having the secure data stored on a private, possibly non-Internet accessible network that is only accessible from the company's sites (or more likely, very specific servers at said sites).
This is a pretty common approach as part of gaining PCI compliance for companies that process CC info, but of course it is mostly only used for the credit card data, not the rest of the personal data so if the personal data other than the CC info allows people to be conned out of cash (or have their money taken directly through some route other than their CC) then it isn't a panacea.
Not the usual "it's the bankers" angle, but surely if a bank has handed out a large stack of money to someone who was not authorised then that is the bank's fault? I seem to recall a related Mitchell&Webb mini-documentary on banks and identity theft...
It doesn't let TalkTalk off the hook but are there not supposed to be lots of guarantees etc with bank accounts and/or cards (even debit ones) such that the account holder can get a refund? Doesn't undo the hassle but surely makes it less fatal.
Actual genuine question (sorry).
It makes for a much less interesting story, but yes, the bank will have returned the £3.5K to his account, cancelled his cards and pursued the merchant for the money back and possibly reported it to the police to investigate.
Hassle, sure (happened to me recently and also my wife a month or so later), but probably not related to Talk Talk and TT certainly aren't responsible for returning the £3.5K.
Anyone got the email address of the complaint department at talktalk? every page link takes you to a phone number, i guess they removed the email link off their site.
Also anyone good at wording a strong worded letter? as im not paying talktalk any more money.
Short story, i informed talktalk i was leaving for BT on the 7th oct. so technically my 30days notice would be to 7th of Nov. However after checking up on them on the 28th Oct, they didn't put the disconnection down on the account back on the 7th, so now tell me i need to pay for another month! until the 28th Nov. Im saying i have given notice! so I have cancelled my DD in response to this and the hacking.
So anyone got any technically/law comments i can add to my letter? as well as responses to the hacking vs breach of their T&Cs?
Absolutely. My father (in his eighties and a bit of a sucker for some of these things - I discouraged him from online banking and have a reasonable protocol in place with the Bank - HSBC actually, might be bad at some things but good here) had a problem with BT. Having failed to get them to realise that a £250 (yup £250) cancellation charge for a service he was persuaded to sign up for but which could never be delivered I went the OFCOM route and ccd BTs customer services. Within 72 hours, following a note from OFCOM requesting further details, BT cancelled the contract - without either apology or charge.
Get the facts right and inform OFCOM.
"yea been reading all over their site. the so called email form doesn't exist! don't really want to post this off lol"
I always advised my clients to communicate via snail mail, keeping a copy and using recorded delivery.
That way the defendants could not claim they did not receive it. It was almost standard practice for a substantial number of companies to claim they did not receive correspondence which had been sent by methods for which proof of delivery could not be provided.
I used to work as an advice caseworker.
In order to resolve the situation, my proposals are to take the following actions: Unfortunately I would not be able to waive your contract breakage fee if you decide to leave TalkTalk.
The jarring non-sequitur there a dead give away that's a template letter. Couldn't be bothered to write a personalised one. Another masterstroke of customer relations management.
As someone who is heavily involved with data protection and information governance I do not see this as a witch-hunt but as a justified taking-to-task of a company that has clearly failed its customers and is continuing to do so.
TT has failed to meet its obligations under the Data Protection Act; if the site holding personal data can be hacked then clearly they have not met the requirement of the act; "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data"; if their security was not sufficient to prevent a hack then clearly they were failing to meet their obligations. Furthermore if you read the ICO guidelines on principal 7 then you will see that the ICO expects companies to "•be ready to respond to any breach of security swiftly and effectively"; clearly TT have not met this either.
I seriously hope that all of TT's customers vote with their feet, and any remaining money in the company is hoovered up by a massive ICO fine. It is time that companies learnt they have an obligation to maintain a continuous improvement cycle when it comes to data security and that it comes ahead of lining shareholders pockets.
> if the site holding personal data can be hacked then clearly they have not met the requirement of the act
It's not if the site can be hacked - any site can be. The question is whether they took appropriate measures to secure the data that they hold. Keeping bank/card details in clear text or even unsalted isn't particularly clever in this day and age..
Sorry, my poor choice of words! I meant the back end holding the data should be secured against hacking, including encrypting the data so that if the black-hats get through everything else the data still isn't usable.
You can't help wondering if, in this instance, TT were actually storing data on the front-end server....
"It's not if the site can be hacked - any site can be."
Three times in one year is a good indicator that noone competent is at the helm.
There should be _criminal_ investigations of Talktalk's failure to comply with the DPA and C-level execs should be in the dock.
This is reckless operation and as such penetrates the corporate veil preventing individual personal liabilities.
"With 4m customers what is the probability that in any one given week someone will be subject to credit card fraud?"
You are correct in this, there's no evidence that TT were responsible. However:
"What is with the witch hunt by The Register?"
The response he got from TT deserves condemnation on its own (de)merits. They have failed abominably in their duty of care to their customers and yet are still trying to hold them to contracts. It's probably not going to do them much good in the long run. At the very least it keeps bad publicity in the media for longer. At the most they'll die the death of a thousand cuts in the small claims court and multiple Trading Standards investigators climbing all over them. The contrast between the way they've handled this and the way VW are handling their problems couldn't be greater.
I'd be interested to know HOW they took money out of his account.
Every anecdote I've heard so far about this is a simple social engineering hack perpetrated by someone claiming to be from TalkTalk and a user then letting them start a Remote session of some sort "to fix a problem".
I share everyone's disdain for the way they've handled this, but really you can't expect them to pay compensation for peoples' naivety and gullibility.
Of course perhaps in this particular case it really was a hack.
Without the "seed data" nicked from TT, then social engineering attack very difficult.
But with all the juicy data there it becomes easy, thus TT should bear major responsibility.
Plenty of "security" style data such as DOB, parts of CC number, bank account etc. then it gets easy. A lot of people will assume it's a legit call, as they do not expect that data in public domain (do not underestimate how many people this whole story is under the radar for - I know far too many people who have almost zero current affairs knowledge / interest), especially as caller ID will be faked (to a legit TT number in this case) and so can tell a concerned mark to check number shown & compare it to Talk Talk website.
A good con artist team can be very skilled & persuasive (a well orchestrated one will also have other team members playing other roles e.g. manager of the initial scam caller, may typically call several times, with different people (give impression of large company) & comments such as oh, from our records I see you dealt with "X" previously shall I put him / her on again as they know your case better than me).
No matter how savvy you think you are, there someone & some situation that could catch you out & simultaneously someone else saying "oh, what a mug punter to fall for that"
A distant family member had around 3.5k stolen within the last couple of years after the "first" TT hack, I thought the same as most, he must have done something that allowed it. Indeed he did receive many calls from "talk talk" insisting there were problems with his router etc and that he needed to do things on his PC to help them fix it. He's not daft and put the phone down apart from one occasion where he humoured them BUT DID NOT TOUCH HIS PC. He had already tipped off his bank that something fishy was happening and sure enough money disappeared from his account (he got it back because they allowed it to happen even though he warned them). Just enough money at just the right time to not raise any alarm bells with the bank (insider info) and it was an international transfer. They had used a weakness in the TT website security along with a facility available once you are on the website, the phone call seems to have been nothing more than a diversion and appears not to have been key to the theft . I emailed TT asking them to please remove the feature that had been exploited but until they took the whole site offline that feature was still there. This required very specific knowledge of the banking system and a specific security protocol used for international transfers (all of the cases Ive seen online were customers of a certain spanish bank, I don;t know about this guy from Ossett though).
As a TT customer it's quite scary knowing that my info may be out there and that they will deny all knowledge and try to worm their way out of responsibility if the worst happens. Even leaving when my contract is up may be fruitless, though the exploited website facility would no longer be available. I keep my fingers crossed that the combination of TT and the bank have seen so far is indeed necessary and I'm therefore safe bankwise. DD isn't part of the theft so the DD guarantee doesn't apply.
As an aside, I too had money stolen a number of years ago when I was with the same bank (at least one that they took over). Some guy sat in a flat in Newcastle managed to find enough info about me from a family history site to answer very weak security questions, allowing for not only my password to be changed but also my address to be changed, replacement card and pin issued to new address and the bank didn't even blink an eye at such a suspicious sequence of events. The spanish arm of the bank were very unhelpful claiming that it was clear someone had used my card and pin to take the money so it was my fault (the new card and new pin that the bank themselves had provided to this person) thankfully the uk side of this bank was still being assimilated and had some common sense, I got my cash back and the perp was eventually found and prosecuted! (he told the cops that they may think he was too lazy to get a job but in fact he spent 22 hours a day every day of the week looking for victims and info) Sadly until banks and other companies take security seriously, this will continue to happen. Such details should absolutely not be directly held on an internet facing website and such a website is extremely poorly designed.
Tokenisation means that somewhere there is a Service that handles the tokenisation requests from TalkTalk applications, the service maps the Cardholder's Primary Account Number to a Token. This mapping will be held in a secure Token Vault. If you have the right permissions, you can ask the Tokenisation Service to detokenise the PAN e.g. back to the original 16 digit number on the front of the card.
The key question for me is was this a Tokenisation Service run by TalkTalk? Or implemented by their payment provider or Bank / Acquirer? If it is managed by a competent third party then TalkTalk applications would be unlikley to be able to ask for a PAN to be detokenised.
I do not see Tokenisation being better that Encryption, it offers similar protection but in a different way, poor implementation can screw both up.
I couldn't help but notice that they insisted that the credit card information had been tokenized, but gave no mention of ACH information. Considering the article mentioned that the money had vanished from the victim's personal bank account, I'd suspect that they were storing bank account:routing numbers in plain text.
Which, as everyone knows, is not PCI compliant.
I see it's fallen from 320p to 220p in the space of a month so the bad news is adding to their distress. Labour was accused of providing "jobs for the boys" years ago, I look at Dido "not-a-clue" Harding and wonder whether her £7M last year is, somehow, equivalent?
Paris, clearly has "jobs for the boys".
I have had over 50 calls over the last few months from people calling to be from TalkTalk. They wanted me to go to a web site to fix a problem on my broadband. These people even had my TalkTalk number.
When I complained, all I got was a web link on how to avoid scammers!.
Been a phone company, you would think they would have the brains to intercept the calls and
So frankly, TalkTalk are totally incompetent,
Which explains why a bunch of geographically unrelated kids are being collared.
By extrapolation, it suggests that the 'DDOS attack' was probably a couple of dozen script kiddies running sql queries.
Talk Talk, beyond pathetic. Rumbled.
So they hacked it by doing a Google search for keywords showing vulnerabilities.
That is so basic, how could Google look inside a secure website?
People are saying, any website can be hacked. That isn't true.
Most websites have some sort of hacking attempt everyday, usually wordpress exploits.
If it were that easy, every website would be hacked.
Talk Talk was hacked because management didn't provide direction to the IT staff because management didn't understand the issues. I am sure it is the same as Target, they had a non IT person in charge of IT.
"Which explains why a bunch of geographically unrelated kids are being collared."
The kids are highly unlikely to be the brains behind the outfit.
The payday attackers are highly likyle to have come from behind multiple layers of obfuscation. Virtually no website uses any protection against Onion or open proxy outlets despite there being several dedicated DNSBLs for this purpose.
TalkTalk terms & Conditions.
8.2 We try to keep your data and communications secure; however, for reasons beyond our control, these may be unlawfully intercepted. If they are, we’ll investigate and advise on next steps.
You could argue that the term, 'beyond our control', in the context of the recent data breach, would mean that they are claiming they have done everything possible and there was nothing they could have done to prevent the theft, and more importantly nothing they will do, as to make changes now will infer that there were improvements that could / should have been made and that the previous safeguards were not adequate.
Dido actually stated in an interview that she admitted their security measures were not good enough. Anyone in a contract could use this as reasonable grounds in my opinion, but what do I know.
about security ffs? She's a ppe grad. If she says the security wasn't "up-to-scratch" how the F**k would she know? You'd think that £7M a year would buy a few IT courses to get her up to speed, wouldn't you? But, of course, for a top-flight CEO that sort of basement tech. knowledge isn't required, just an in depth knowledge of flannel for the tabloid press. Unfortunately, luv, that doesn't cut it for the rest of us.
More guillotines, please.
It's amazing how security is always an afterthought, at almost every company I have ever worked at security is always thought of last. It's always sales making unrealistic promises and management giving unrealistic deadlines. So of course everything is rushed and damned if you dare propose sane ideas on high availability or security to dare take the focus away from features.
Hell, it's shocking how few "IT Professionals" even know what a HSM is let alone layered security.
Some years ago my son commenced a computer science course at the local university. Like the rest of the first year students he was bored by the mandatory MS Office course, especially when the lecturer didn't know how to centre aline of text in Word. So, he hied off to a 2nd year lecture on web application development. Puzzled, he asked the lecturer about security as it hadn't been mentioned.
"Oh, that's something we deal with after we have finished programming the application," replied the lecturer.
If someone responds to a fishing, vishing, spearfishing call and gives out their banking codes, they are still the ones who are culprable.
Its in their banks T&Cs, and customers are warned when signing up, logging in, and even attemping to make an online or telephone payment.
Sorry I HATE TT, but they cant be blamed for pig shit stupid people!!
Oddly enough, just a few days ago, I had a dodgy transaction for Orange Home (whom I've never been a customer of) for something like 90 quid, using a debit card that was destroyed many years ago - but definitely the same card I used for TT. Even my bank fraud team were like 'yes, bit of a coincidence isn't it...'
Not sure how the perp used it tho, seeing as it wasn't even on the bank's system any more...
I still can't log on to the effing TT "My Account" page. It just has some meaningless info, such as "keep trying" if you want to chat with them. As if..
What the heck are they doing?
And to think I'm just with TalkTalk because I once signed up with Pipex...
It's most likely offline because actually taking money relies on a weakness in the website security and a facility that is available once they log on as you. I suspect the website was probably offshored and either the SLA doesn't cover this or nobody knows how to alter the site, so it's offline until those issues are resolved.
TalkTalk should be ashamed not so much for the fact they got hacked, but for the simple fact they don't give a sh*t, are constantly condescending and so obnoxious. AND THEY KNOW IT!!!
I have had to spend days helping my elderly parents on the phone with Mr TALK TALKINGNONSENSE being told they will have to pay cancellation costs, changing bank details, moving funds, and in the end we contacted BT, yes British Telecom. They offered to pay £150 towards Mr TALK TALKINGNONSENSE's cancellation fee and now we're back online with BT, Good riddance TalkTalk.
I hope that others do the same.
This is all very interesting. They're having a great laugh. They're begging for someone to take them on. Like painting a big "Kick me" sign on themselves. There are also equity arguments, so Talk-Talk makes a eye-wateringly attrractive defendant. What's the appetite?
If there is an appetite, is there anyone interested in pro bono generic/representative small claim pleadings in contract, data protection, and tort against Talk-Talk with accompanying skeleton and procedural/costs submissions, especially given that since the CA decision in Vidal-Hall v Google (subject to SC appeal) it is now possible to claim statutory damages (or accounting for profit) without any need to prove actual harm? Straw poll.
(I note only about 1-5% of people who say they'll take on such excellent clowns as these, actually will, so I'd need a huge expression of interest before I bothered)
I have been keeping an eye on their forums to get an idea on scope etc. I came across this posted 48 minutes ago i.e. 10.38 05/10/2015.
It might be false info but it seems that they do not want to be helped in securing the system.
Biting the hand that feeds IT © 1998–2019