back to article TalkTalk 'fesses up to MEGA data breach

TalkTalk has admitted to a major breach of sensitive user information, which may have led to some customers handing over bank data to hackers. In an email to subscribers, the company said it first saw a big increase in malicious scammers claiming to be from TalkTalk at the end of last year. The budget telco said that – …

  1. Vimes

    If non-sensitive data can be abused to gain access to sensitive data, then how is the non-sensitive data not, in point of fact, sensitive in its own right?

    Perhaps this says more about the marketing speak in use at Talk Talk rather than the scale of what has happened here?

    1. Anomalous Cowturd
      WTF?

      @Vimes

      Marketing speak is everywhere these days. Get used to it, and learn to read between the lines!

      I just received the email from TalkTalk, but as I never speak to unsolicited callers unless I know them personally, it's not a problem for me, or anyone with half a clue about security.

      1. pig

        Re: @Vimes

        A smart scammer would now resend the phishing emails as being from Talk Talk.

  2. TonyJ

    Again!

    When are we going to see some serious action dealt out to these companies who are meant to guard and protect our sensitive information? I mean genuinely punitive.

    And as I've said before - ANY company where a data breach has occurred should be legally obliged to provide every customer present and past with a years worth of credit monitoring.

    1. PNGuinn
      Mushroom

      Re: Again!

      10 Years minimum.

      1. Only a year and a patient scammer will wait.

      2. See it a deterrent and / or punishment

    2. Pascal Monett Silver badge

      Re: Again!

      Sorry, but that does not feel enough for me.

      Personally, I think that any company that has not been diligent in the protection of my personal data should see its CEO go to jail and its board fined on their personal fortune.

      If it impacts me personally, I see no reason why it should not impact them personally.

  3. Gordon 11

    I'm always intrigued by these "bank details" that are so sensitive.

    All TalkTalk has of mine is the sort code and account number. Information that was always on any cheque I wrote anyway, So in what way is it sensitive?

    1. Vimes

      http://news.bbc.co.uk/1/hi/entertainment/7174760.stm

      1. Gordon 10
        Joke

        When someone does a "Clarkson" on Gordon11 up there - please don't get me by mistake.

      2. Lallabalalla

        How did that actually work then?

        Not that I want to scam anyone (not even Clarkson), but how, if banks are "secure", is it possible to set up a DD or withdraw money or whatever if all you have is a/c & sortcode.

        I am the naivest person ever but I, like Clarkson, assume you could only put money IN with those.

        I'm probably also naive if I think anyone is going to explain it to me, tbf, but anyway...

        1. An0n C0w4rd

          Re: How did that actually work then?

          @Lallabalalla

          In theory direct debits should be secure as the signature on the authorisation form should be compared to what is on record at the bank. In practice I suspect that was never done.

          Also, as far as I know there are now 100% electronic direct debit instructions, so in theory yes, a DD could be made just on sort code, account number and the name of the account holder.

          1. John 156
            FAIL

            Re: How did that actually work then?

            Clearly, you have no knowledge of how Direct Debits work, which I cannot be bothered to explain since it is nowhere near as simple as you imagine..

            1. Someone Else Silver badge
              Thumb Down

              @ John 156 -- Re: How did that actually work then?

              Clearly, you have no knowledge of how Direct Debits work, which I cannot be bothered to explain since it is nowhere near as simple as you imagine..

              In that case, STFU, fuckwit!

              1. TonyJ
                Thumb Up

                Re: @ John 156 -- How did that actually work then?

                Have an upvote...hate those "I am posting to say I have nothing to say, other (usually) than I know something that you don't!"

          2. Mr Humbug

            Re: How did that actually work then?

            The security around direct debits is not to do with the information you need to supply but to do with t the organisations that are allowed to set them up.

            Yes, I can use your bank number and sort code to set up a direct debit but I can't make myself the beneficiary of that transaction so I would have to use it to get something from another organisation that I either needed (electricity or broadband service for example) or that I could sell on.

            In the former case when you dispute the DD transaction your bank will (according to the DD guarantee - I've never tested it) give you the money back then tell the supplier that the DD was fraudulent and the supplier will go after you for the money it loses - it will have a supply address for the service.

            I can't think of any examples of something you could buy using a DD that would have a re-sale value and wouldn't have a known supply address.

    2. Kubla Cant

      ...the sort code and account number. Information that was always on any cheque I wrote anyway...

      In the days when payments were mostly made by cheque, it was far less easy to exploit knowledge of these details, not least because most bank account transactions involved a written instrument. These days most transactions are "electronic" and the total volume of transactions is greater. The worst thing is that it's now difficult to isolate a bank account from the world of instant transactions and pay-by-bonk.

  4. clint11

    TalkTalk

    As a TalkTalk customer who has had one of the scam phone calls I can say that the spammer did not have the customers bank details until they asked for them when the wanted to upload a fake program to the customers computer. What the spammer did have was the customers name, address and most disconcerting of all, the customers TalkTalk Account number which they quoted to the customer without being asked for it.

    I can state that this has be going on for at least 5 to 8 years no matter what TalkTalk know say, as I recall this sort of scam being reported on the old Tiscali forum, although back then TalkTalk always denied that this was happening and said that this was an impossibility.

    1. I am not spartacus

      Re: TalkTalk

      "As a TalkTalk customer who has had one of the scam phone calls I can say that the spammer did not have the customers bank details until they asked for them when the wanted to upload a fake program to the customers computer. What the spammer did have was the customers name, address and most disconcerting of all, the customers TalkTalk Account number which they quoted to the customer without being asked for it.

      That corresponds to my experience of the scammer, almost exactly. On the three occasions, in rapid succession, that they called, All I had to do was to go out of my way to neither do nor say anything more than the absolute minimum required (Q:'Can you turn on your Windows PC', A: 'No, I can't do that, currently') and they either gave up or hung up on me.

      Now, for a combination of reasons, I have left TalkTalk and the calls have stopped. I can only suspect that the scammers probably have more of a direct connection with TalkTalk than they would like to admit, as me leaving them seems to have stopped the calls, and I can't see how someone who only nicked their customer list once would know that (or care).

      1. Alan Brown Silver badge

        Re: TalkTalk

        "I can only suspect that the scammers probably have more of a direct connection with TalkTalk than they would like to admit"

        Given the amount of scamming running out of foreign call centres (particularly Bangalore), what makes you think TalkTalk is immune - and given the number of outfits which have outsourced to Bangalore what makes you think that this is restricted to just TalkTalk?

  5. richclever

    The 'Talk Talk Business customers are not affected' bit would be great if they hadn't moved some small businesses over to the domestic service early last year. I get daily calls now from the scammers. Of course I have not had any email from Talk Talk because I am now back on their business service so the first I knew of the breach (apart from my suspicions of course) was seeing the story here and in the Guardian.

  6. Anonymous Coward
    Anonymous Coward

    Aren't TalkTalk the ones moving business customers to residential packages - this must be very reassuring.

    1. AJ MacLeod

      Any references? I've found TTB remarkably good considering their name contains "Talk Talk" (I only ended up with them by default through multiple takeovers of F2S over the years)

      1. Anonymous Coward
        Anonymous Coward

        Sure - http://www.ispreview.co.uk/index.php/2013/02/uk-isp-talktalk-business-migrates-smes-to-home-broadband-package.html

        1. AJ MacLeod

          Hmm, thanks... I seem to have missed that fortunately. I will say that TTB support have probably been the least painful of any ISP I've ever had to deal with (which is most of them, due to my job) - the phone is answered almost immediately and the person on the other end has always understood what I've said and gone on to help sort the problem out with zero hassle or mentions of yellow cables. Having often had to deal with the likes of plain old TalkTalk residential or even BT (Business included), this makes a very pleasant change indeed!

          1. Anonymous Coward
            Anonymous Coward

            Interesting. Given TT's year after year slapdowns one has to wonder what shitpit ISPs you could have been with to recieve worse support?

            Can't help but wonder if there is anything you would like to disclose?

            1. AJ MacLeod

              Read my comments again, carefully, and you might understand the following; as PART OF MY JOB I deal with ISPs (nearly all of them) for other people. Also, should you read my comments again, carefully, you'll also notice that I was talking about TalkTalk _BUSINESS_ who are in practical terms completely different to deal with from "residential" TalkTalk.

              Since you ask, I would like to disclose that I have never worked for or have shares in any ISP. BTW, in case you hadn't noticed you're the AC, not me...

            2. Alan Brown Silver badge

              "one has to wonder what shitpit ISPs you could have been with to recieve worse support?"

              Orange for starters.

          2. Anonymous Coward
            Anonymous Coward

            "...of any ISP I've ever had to deal with (which is most of them, due to my job)" could simply mean that the business you're employed by has used many ISPs in the time you've been with them.

            I'm aware you're talking about TTB, I instigated the discussion with a comment of TT moving business customers onto residential packages if you recall.

            1. AJ MacLeod

              And how am I supposed to tell who you are when you're wearing that mask?! But I can only relate what I've found throughout the time I've been a TTB customer (not sure how long without checking - a couple of years now?) I've had consistently top notch service from technical support; that its, every single phone call has been short, to the point, and speaking to someone who knows what they're talking about. Every single time has been an OpenReach issue, not TTB BTW.

              Maybe I've just been extremely fortunate with TTB but I've spent days of my life on the phone to all sorts of ISPs and I've very rarely had that kind of service from any of them once, never mind consistently.

              As I said, all the more surprising when you know the excruciating agony involved in dealing with TalkTalk residential...

  7. clint11

    TalkTalk scam

    Also see:-

    http://community.talktalk.co.uk/t5/Scam-Calls/bd-p/Scam

  8. thomas k.

    we take our customers' security very seriously

    Well, after we discover that security has been compromised, that is.

  9. Zippy's Sausage Factory
    Devil

    This now makes me happier about not being a TalkTalk customer after ten years.

    Although that said, I used to get daily marketing calls from them asking me to open a new contract for two years - which I always used to bat away quickly, unless I was in a bad mood that is...

  10. Anonymous Coward
    Unhappy

    Sorry...

    In a statement it said: "At TalkTalk we take our customers' security very seriously.... ZZzzzzzzzzzz

    Sorry, zoned out heard it so many times....

  11. Pen-y-gors

    Let's not jump to conclusions

    Okay, it's great fun slagging off TalkTalk, 'cos they are pretty rubbish, but...

    So far there's no evidence that they've been hacked or anything. The data that has allegedly been used could just as easily have been acquired by a more traditional, physical route. Perhaps a printed report of customer details in the TalkTalk accounts dept, that didn't get shredded after use, but instead found its way into the pocket of a dodgy junior member of staff, who then flogged it. Technically a security breach, but strip-searching all staff on the way out is probably overkill for a phone company.

    Not all data breaches are down to clever hackers and security loopholes. They may well be in this case, but we don't know.

    1. clint11

      Re: Let's not jump to conclusions

      TalkTalk have admitted that the breach took part at a third party site that they use. Use the link I posted earlier.

  12. Anonymous Coward
    Anonymous Coward

    did notice

    after i signed up to there fiber as 2 days later started getting sales and ppi calls to a dumbphone number i have never used online and never registered with any other company before

    there support assured me they had not shared my details..

    looks like my suspicions were right

  13. Mevi

    Talk Talk *IS* the scam

    My partner was told that Talk Talk was a great ISP by a salesman in town and she signed up on the spot.

    I have to speak to them whenever they fuck up billing or bundled channels or send the router and engineer to the wrong address when we had someone stay home and then they complain that we were not there..... she gets 'phone rage' pretty easy. I'm putting off our current complaint of regular dropped ADSL connections and missing channels for a few more days as I just can't face another lost evening talking to a script-reading out-sourced Mumbai call centre jockey who WILL hang up the moment we go off-script.

  14. Lost in Cyberspace

    As a Home PC Tech

    IMO companies like TalkTalk, Sky TV etc have had rogue insiders for years, stealing records. I get calls from fake Sky exactly at the time my box warranties expire. My customers get frequent calls, by name, from companies saying they have a PC problem.

    It's frustrating that for every customer that rings me because "TalkTalk accessed their PCI and confirmed a virus", there must be another that just pays the fake ISP for a maintenance contract and falsely believes their PC is secure. This is not the first time it's happened.

  15. x 7

    I find it interesting that if I try to open the AOL UK webmail page in IE (which is actually TalkTalk) the Malwarebytes AntiExploit tool throws a wobbly fit and refuses to open the page, warning me of a live attack. Try to open the same page in Firefox or Chrome and nowt happens. At face value there would appear to be a rogue script on that site which only works on IE

    (note this happens on all the PCs I've tried it with)

    One wonders if the sites been infected with an ID-scraping script

  16. Someone Else Silver badge
    Mushroom

    If I had a dollar/pound for every time I heard...

    In a statement it said: "At TalkTalk we take our customers' security very seriously and we take numerous measures to help keep our customers safe."

    This is actually the third time today that I've read the same "We at <insert name of fat-ass Corp who doesn't really give a flying fuck about their customers> take our customers' security very seriously...blah, blah, blah...bullshit, bullshit bullshit..." line here in The Register (see story about Lenovo). Engaging the Corporate Bullshit filter, this quite clearly translates as, "Motherfuck! Call the flippin' lawyers to help us cover our bleedin' asses/arses!"

  17. Florida1920
    Alert

    A real *news* headline would be

    Corporation X Reports It Has Had No Data Breaches

  18. James 100

    Business "service"

    Having had my office moved to TTB from Sky (having been happy business customers of Be previously, until Sky took over with no clue what to do with all the business customers they'd just bought), I've found the technical side shockingly poor. All day every day, 100+ms latency spikes, packet loss up to 10% - even in the middle of the night, when everything except the router is switched off and nobody's in, burst of packet loss and crazy latency every hour or two. No chance of VoIP working properly, either.

    http://www.thinkbroadband.com/ping/share/43d63f7aa936a76c5cec055cb6cd8c15-28-02-2015.html

    TalkTalk's answer to this? We're using their "unlimited" "business" service "too much", perhaps we should move to a leased line: VoIP apparently doesn't work over their ADSL service, unlike everyone else's. How much usage is "too much" on an "unlimited" package? 40 Gb a month, apparently. So, we're off to a proper ISP, on their second-lowest usage tier: 200 Gb per month...

  19. Alan Brown Silver badge

    On the other hand

    There are some pretty good ISPs out there.

    _IF_ you're willing to pay an extra 10%.

    That 3-4 pounds per month is negligible if you have to spend hours dealing with obstructive phone operators (They're PAID to be obstructive, not to be helpful) when things break.

    I like my current ISP. When things break, I get to talk to a helpdesk who aren't tied to scripts and most of the time they have enough control of the tech shit to diagnose whatever's happening on the spot and deal with it (FWIW, every fault so far has been traced to "BT Openreach", but that's a rant for another day)

    My personal sore experiences with TT and BT as well as encountering them and other ISPs whilst supporting staff as part of $dayjob make me feel that an appropriately located thermobaric device would be the best treatment for that infection. Perhaps a "gas leak" can be arranged.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like