back to article TalkTalk CEO admits security fail, says hacker emailed ransom demand

Dido Harding, the chief executive of TalkTalk, has confessed her company should have done more to protect its customers' personal information, and has confirmed a seemingly related blackmail attempt. Harding told BBC News that she had personally received an email which included a ransom demand from "an individual or a group, …

  1. Anonymous Coward
    Anonymous Coward

    Aren't talk talk the lot that desperately wanted everyone to sign their porn register, I mean opt out of the net nanny scheme?

    1. RISC OS

      I'm pretty sure her colleagues call her...

      ...dildo hardon

      1. TheVogon

        Re: I'm pretty sure her colleagues call her...

        "...dildo hardon"

        dildo hardin surely?

        At least when she answered the questions for TV she was brave and sensible enough to admit that she didn't really have a clue what was taken and if it was encrypted.

  2. Vimes

    Didn't they sign an undertaking with the ICO a number of years ago as a result of similar issues? And that undertaking is still in effect?

    I wonder if the ICO will actually take meaningful action against them this time?

    1. Danny 14

      which also leads onto an interesting question, what about people who have previously been talktalk customers? Are their details (and CC/bank accounts) still held on the system?

      Whilst they might contact current customers, will they be contacting previous ones too?

      That's a nice 4 million mailshot earner for the franking machine.

      1. Allan 1

        It's my understanding that they are legally required to retain ex-customer details for a number of years after that customer leaves, in case the authorities need to investigate fraud / crime.

        1. yoganmahew

          @Allan 1

          They hardly need to do this on an internet facing system, though? Or have people forgotten that it is possible to not have every system accessible from everywhere?

        2. Duffaboy
          Facepalm

          Regardless to say

          That been true then why is it so easily accessible from the outside world.

      2. Chris King

        If they have retained customer details from the operations they have taken over, it's not just ex-TalkTalk customers in the firing line. What about former customers of...

        AOL (UK)

        Tiscali

        Pipex

        Nildram

        Tesco Broadband

        Virgin Media (ADSL)

        OneTel

        ...and possibly others I've forgotten about ?

        I will be SERIOUSLY miffed if I'm caught in the crossfire of this Charlie Foxtrot - I was a Nildram customer but escaped to AAISP nearly ten years ago, and had a OneTel dialup account before that. How long have they held on to ex-customer data, I wonder ?

        1. Doctor Syntax Silver badge

          @Chris King

          Like you I've been through the Nildram>Pipex>Tiscali route but I jumped ship nearly 6 years ago. A good deal of what they had will be stale by now, certainly I've changed bank since then. I doubt either of us would fall for a call claiming to be from their customer disservices - they never did anything after the Tiscali takeover so why expect them to be getting round to it now?

          In fact, after the Tiscali takeover their email support would have passed the Turing test - there was no way to tell whether it was human or a bot - but not in a good way.

      3. John Brown (no body) Silver badge
        Windows

        "who have previously been talktalk customers?"

        ...not to mention ex customers of ISPs which have been taken over by Talk Talk. I wonder how many people that might affect and if they have even a vague inkling that their bank account details might have been compromised?

        EDIT: I now see this topic has already been mentioned (and down voted? WTF?????)

  3. Anonymous Coward
    1. hatti

      Re: Dido Harding...

      I doubt she's dumb, just her office is where you will find the end of the buck if you follow it.

      Horrible week at work.

      1. Anonymous Coward
        Anonymous Coward

        Re: Dido Harding...

        "You got bucked!"

    2. Anonymous Coward
      Anonymous Coward

      Re: Dido Harding...

      There's no white flag above her door...

    3. Kubla Cant

      Re: Dido Harding...

      Remember me, forget my fate!

      1. Arctic fox
        Thumb Up

        Re: Dido Harding...

        Well done gentlemen - there is perhaps something to be said for some form of classical education!

        "When I am laid, am laid in earth, May my wrongs create

        No trouble, no trouble in thy breast;

        Remember me, remember me, but ah! forget my fate.

        Remember me, but ah! forget my fate."

    4. Uberseehandel

      Re: Dido Harding...

      bad taste, cheap clothes, posh name.

      what is wrong with this picture?

      sell the Talk talk customer base, sell the company, fire the D1D0

  4. Grubby

    SLA

    With an SLA like TalkTalks' the hacker will be lucky if she responds to the email this year.

    1. Fred Flintstone Gold badge

      Re: SLA

      With an SLA like TalkTalks' the hacker will be lucky if she responds to the email this year.

      I'm amazed that this blackmail email even got to her in the first place. :-)

      1. Vimes

        Re: SLA

        https://twitter.com/haveigotnews/status/657499167535800320

        1. Captain DaFt

          Re: SLA

          "https://twitter.com/haveigotnews/status/657499167535800320"

          Oh damn, that is priceless! I nearly choked laughing!

      2. Your alien overlord - fear me

        Re: SLA

        Probably her AOL account.

  5. future research

    Radio 4

    The interview on Radio 4 this morning the person claimed it was too early to say if important customer data was encrypted ( and there was millions of records, as if that was a reason).

    I therefore take the answer to be no, it was not encrypted.

    1. This post has been deleted by its author

      1. Vimes

        Re: Radio 4

        Why bother with that when ROT13 does the job?

        (nobody said it had to be *good* encryption...)

    2. Kubla Cant

      Re: Radio 4

      The interview on Radio 4 this morning the person claimed it was too early to say if important customer data was encrypted ( and there was millions of records, as if that was a reason).

      Record 1: not encrypted, record 2: not encrypted either, record 3: still not encrypted, record 4...

      You can see how this may take some time.

      1. allthecoolshortnamesweretaken

        Re: Radio 4

        Same methodology as this then

        http://dilbert.com/strip/1996-09-18

    3. MrWibble
      Facepalm

      Re: Radio 4

      Ars says "no"

      "Moreover, TalkTalk has confirmed to Ars that some of its customer data was stored in plaintext, i.e. not encrypted. The spokesperson admitted this was "not ideal,"

      http://arstechnica.co.uk/tech-policy/2015/10/talktalk-hit-by-significant-cyberattack-millions-of-customer-records-compromised/

      1. Dan 55 Silver badge
        Flame

        Re: Radio 4

        Ars also noticed that a) the AOL story saying this was Talk Talk's third hack this year was disappeared and b) Talk Talk owns AOL in the UK. That's the kind of company you want in charge of your personal data.

    4. Anonymous Coward
      Anonymous Coward

      Re: Radio 4

      SQL injection can bypass encrypted data. Though there's some data (e.g. passwords) that should be encrypted in a form that even the company itself can't access. And it wasn't because the passwords are out there in pastebin for all to see.

      I wish that I had never signed up with TalkTalk. I pay for everything via credit card normally. That affords me some protection. But with my TalkTalk business account they refused to accept credit card. They said I could change the payment information over to credit card later on but that they could not (read: would not) set up an account without bank details. And instead of backing at that point and going through the entire selection and sign-up process again with a different provider, I let them have the bank details so they could have a direct debit. So now my name, bank details and a password (only used for TalkTalk) are out there because of these people.

      1. Anonymous Coward
        Anonymous Coward

        Re: Radio 4

        So, how is that important? They have the same details you give when you write a cheque for something to be delivered to your home address. And, like any sane person, you don't use the same password for your banking.

        1. Terry 14

          Re: Radio 4

          But they don't have your date of birth, the hackers have more than enough details for identity fraud.

        2. Cameron Colley

          Re: Radio 4

          @Anonymous Coward: "So, how is that important? They have the same details you give when you write a cheque for something to be delivered to your home address. And, like any sane person, you don't use the same password for your banking."

          You sound just like Jeremy Clarkson. Perhaps look into how well it went for him when he made his baking details public?

    5. hatti

      Re: Radio 4

      It can only take at max 3 seconds to check if data is encrypted.

      1. Look at first row of data your eyes lock onto.

      2. See familiar looking letters and numbers = not encrypted

      3. See weird looking squiggles and odd symbols = encrypted

  6. mark 120

    Lol. Selling data on the dark web isn't as profitable as it used to be? That's only if you look at it on a price per unit basis, because the market is flooded with details stolen from companies like TT. Overall it's still very profitable.

    Is it just me who thinks she needs a PR person telling her to shut up right now?

    1. MyffyW Silver badge

      Selling data isn't profitable?

      Wishful thinking, frankly.

  7. Flakey

    Whats the betting

    TT's cancellation department is in meltdown right now.

    1. Geoff May

      Re: Whats the betting

      Excepting that will not help them because, the only real way of getting security would be to change banks, move house, change your name and try and get your date of birth amended. I wonder if TalkTalk customers can move to a different calendar to avoid future trouble ...

      1. Danny 14

        Re: Whats the betting

        it will help when they fuck up again though. Assuming you trust they take your details off their system.

    2. Kwales66

      Re: Whats the betting

      If you can get through to it - Almost impossible at best of times. I would just suggest ringing the new subscriber number and getting through to cancel that way. Has worked for me in the past ( not just for TalkTalk )

  8. Anonymous Coward
    Anonymous Coward

    relax

    Gubbmint keep telling us they have invested billions in cyberstuff to protect/spy on us

    Forget police dealing with burglary,muggings etc cos they are all back in the station trying to figure out how to get back to that screen they had a minute ago sarge.

    Meanwhile private companies have took this as a sign they can go to sleep and just let then boys in the big doughnut nerve centre advise them after the fact.

    1. Lysenko

      Re: relax

      <sarc> Strange she didn't mention her company commitment to increasing the salaries, staffing levels and overall budget of the IT security section every year. </sarc>

  9. Richard Tobin

    Ransom demand

    Can they really have only received one ransom demand?

    1. seanj

      Re: Ransom demand

      Well, if as she says, she is a Talk Talk user too, then the rest are probably still lost in the intertubes somewhere and should arrive tomorrow sometime.

    2. Doctor Syntax Silver badge

      Re: Ransom demand

      "Can they really have only received one ransom demand?"

      No, but only one's genuine. They're trying to work out which it is.

  10. Peter Kavanagh.

    Ongoing, definitely not new

    Someone in earlier article comments mentioned they knew of instances of attempted phishing calls, where the scammers had worryingly detailed knowledge of the target's TalkTalk account information.

    On a phone-in to LBC on Monday someone called in with a very similar story of a call - "we understand you've had problems with our broadband service" (customer had indeed experienced this) ", so we would like to refund you some money, just need to check the payment details...".

    Either inside information or clear confirmation that account details have been compromised in earlier attacks.

    1. Old Tom

      Re: Ongoing, definitely not new

      I had a long call from 'TalkTalk' last week, sounded like India. They knew my name and number, address and TalkTalk account number, and were trying to persuade me to let them fix the errors on my broadband. I assumed it all came from the February breach.

  11. Grubby

    Ransom Note

    The hacker decided to blackmail Talk Talk after realizing that the combined value of TalkTalk customers' available credit was a fiver. They've offered to give it back in exchange for a 6 month Sky Sports Boost.

  12. seanj

    Unlikely to be the real culprit.

    If Talk Talk received the email today, it was probably a ransom demand for the previous breach...

  13. Anonymous Coward
    Anonymous Coward

    Their website says this:

    "- TalkTalk will NEVER send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security."

    So, they didn't hash peoples passwords ... oh dear :(

  14. Daniel Hall
    Flame

    http://help2.talktalk.co.uk/oct22incident

    http://help2.talktalk.co.uk/oct22incident

    Waiiiit for it......

    ""We'd like to reassure customers that we take the security of your data very seriously. We constantly review and update our systems to make sure they're as secure as possible"

    lolz

  15. circusmole

    The brass neck...

    ...of people like her never ceases to amaze me.It was HER JOB to make sure that customer date was secure - it's called good governance. If she had an shred of decency she would first say, words to the effect of "I personally fcuked up big time, I didn't do my job properly" and then say "I am resigning with immediate effect and I will refuse to take my obscene golden parachute and also my overly inflated bonus payment. Goodbye".

    Well, I can dream can't I?

    1. Duffaboy

      Re: The brass neck...

      Another example of the under qualified in a senior position.

  16. Lallabalalla

    Said it before - will say it again

    TalkTalk - Worst. ISP. Ever.

  17. Anonymous Coward
    FAIL

    20:20 hindsight...

    Talk Talk could have put money into Marketing or info sec. Obviously they choose marketing.

  18. pointyhairmanager

    Ignorance across the Board!

    It is a telecoms company, so you would think there would be executive IT or technical presence on the board would you not. Or at least someone who might know something about the technology behind this (since the CEO obviously does not). Not so! Ms Harding's lamentable level of ignorance of all things technical seems to be echoed across the board - at least the executive board. The wider non-exec "jobs for the boys" board does include someone whose day job is being CTO for Nielson, but there seems to be no executive responsible for things technical. At least not in their job title.

    It would not be quite so bad if this were the first time Talk Talk had been targeted and found wanting on the security front. But alas it is not as you can see earlier this year in http://www.theguardian.com/money/2015/mar/14/talktalk-fraud-victim-compensation-data-theft-responsibility

    If it turns out to be as bad as it seems, it is frankly time the ICO got serious with rogue companies like Talk Talk who either cannot or will not take the security of their customers' data seriously. And the CEO of this shambolic enterprise should surely be fired immediately: To lose one's data once is unfortunate; to lose it twice is careless.

    1. circusmole

      Re: Ignorance across the Board!

      I would not be surprised if a Talk Talk board meeting went something like...

      CEO: Where are we with customer data security?

      CTO: Funny you should mention that, I bumped into The Head of IT yesterday. He's a difficult bugger to track down sometimes (general titters and laughter around the room). I asked him the very same question and he said that all was fine.

      CEO: Good. That's what I like to hear. Next item on the agenda...

    2. Duffaboy
      Joke

      Re: Ignorance across the Board!

      Moss: Did you notice how she didn't even get excited when she saw this original ZX81?

      Roy: Yeah, that was weird. It's almost as if she doesn't know anything about computers.

      Moss: What?! (Drops mug)

      Roy: What're you doing?!

      Moss: Oh, don't worry. That's why I always make two cups of tea. (Picks up another mug) Anyway, what were we talking about?

      Roy: Her not knowing anything about computers.

      Moss: WHAT?! (drops mug)

  19. Anonymous Coward
    Anonymous Coward

    The fact someone has scanned them for PCI-DSS is criminal

    Using any tool not permitted or authorised to gain access and information on a computer system in itself is serious crime but I guess no one told High-Tech Bridge that?

  20. Anonymous Coward
    FAIL

    Is she sorry enough to step down?

    Didn't think so ...

  21. SVV

    BBC news just reported it was a SQL injection attack

    Basic coding standards have been able to guard against this for 15+ years, so there's really no excuse.

    (If you don't know what this is, it's basically down to lazy coding whereby attackers simply enter parts of a database query into a text field, causing more data to be returned than should be.)

    Sounds like yet another company preferring youth to experience and paying the price yet again.

    1. steogede

      Re: BBC news just reported it was a SQL injection attack

      Do you honestly think that anyone here doesn't know what SQL injection is?

      > Sounds like yet another company preferring youth to experience and paying the price yet again.

      Just as likely that it was a very experienced lazy idiot, infact probably more likely. If it were written by some inexperienced youngen, they'd probably be using some trendy framework that made SQL injection very difficult.

      1. Allan George Dyer
        Coat

        Re: BBC news just reported it was a SQL injection attack

        Yeah, everyone knows that a SQL injection attack is a method for choosing names for your children.

      2. Duffaboy

        Re: BBC news just reported it was a SQL injection attack

        Another fine example of management not listening to the Techys..

        Jen: With all due respect John, I am the head of IT and I have it on good authority that if you type "Google" into Google, you can break the Internet. So please, no one try it, even for a joke. [the executives laugh] It's not a laughing matter. You can break the Internet.

  22. unwarranted triumphalism

    This is intolerable

    Another few security breaches like this and I'm going to think about changing my ISP.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is intolerable

      Yeah it's really like a kick in the teeth or a hangover every single morning.

  23. Steve 53

    The state of the SSL/TLS Stack

    While the TLS stack isn't compliant with PCI-DSS 3.1, it doesn't need to be until June 2016. 3.1 is relatively recent, and organisations have some time to bring themselves into compliance.

    The only thing the audit picks up on the PCI side is a SHA1 certificate, which will most likely be fixed on renewal.

    The report flags Camellia as not a NIST standard, which is true - it tends to be preferred in europe / asia.

    PFS is available.

    As High-Tech says, A rating, and a good indication that TLS has been configured by hand for security, or that they've done pretty well out of the box. Total red herring as far as "indications of the security culture" is concerned.

    Now, why an SQL attack (if that is the case - my level of trust in Rory Cellan-Jones is rather low...) was possible is another matter. You'd hope coding techniques and libraries have sorted this problem. At the very least a PCI mandated Web Application Firewall should have caught that sort of attack (WAF is, of course, a safety net - not an excuse for poor coding), assuming it was put in and turned on...

  24. John Munyard

    According to reports on Radio 4 this afternoon this wasn't even a particularly complex attack, comprising of a DDOS attack with an SQL injection... something that 90% of amateur script-kiddies know how to do.

    Now cyber security is a big issue, but as a Talk-Talk customer myself you really have to question the basic competence of what is one of the UK's major ISPs that they have not only managed to have thier pants pulled down around thier ankles so easily, but also how that came to happen successfully after two previous similar attacks during the past year.

    What a bunch of f**king clowns. The woman CEO of Talk Talk should be incarcerated for presiding over such interstellar levels of corporate incompetence.

  25. Anonymous Coward
    Anonymous Coward

    Birds of a feather?

    I see the Dido Harding (CEO) has an MBA and read PPE, Olivia Streatfeild (Commercial Director) has an MBA and read Political Science and Government.

    I wonder if -

    1) They didn't care for anyone 'mansplaining' that TalkTalk's IT blew chunks?

    2) They knew little about IT and cared less?

    1. Tim J

      Re: Birds of a feather?

      The inferred misogyny of this and other comments is just such bollocks.

  26. Anonymous Coward
    Facepalm

    The guilty are all on LinkedIn..

    Won't name names, but someone is (was?) 'creating an innovative architecture capability at TalkTalk whilst working on a strategic lean and agile transformation.'

    innovation + transformation + lean + agile = epic fail

    1. Anonymous Coward
      Anonymous Coward

      Re: The guilty are all on LinkedIn..

      You have to admit that this could have been a contender...

  27. cyrus

    I hope...

    the criminal investigation of this breach is focusing on the lack of security and therefore may expose TalkTalk as the real culprit.

    On one hand, I hate the hacking we all hear about every day. On the other, when hacks expose embarrassing security fuck ups made by people who should know better, I can only hope other corporate entities take notice.

    Ultimately, hanging Dido out to dry in a criminal court for negligence is probably the only thing that might make them take notice. If Safe Harbor is illegal, then surely this level of technical stupidity should be criminal as well.

  28. thomas k

    e-mailed ransom demand?

    from extortionist72@gmail.com?

  29. Joe Montana

    Lack of PCI compliance?

    The ssl checker indicates they are not pci compliant purely because of their cert being sha-1 signed, but many cert authorities still provide such certs for the time being, and there are plenty of old certs out there too.

    As for other aspects of the standard, just requiring strong encryption isn't enough, you have to actually be using it properly. Encryption is pointless if the key is held on the same host, and the data cant be used if it cant be decrypted.

    Many implementations comply with the standard by encrypting the data, but then provide a way to access it therefore bypassing the encryption... Many of the people who assess PCI compliance are just box tickers and have no understanding of the actual technology, so if you store your data on an encrypted volume thats automounted at boot that will often be sufficient to pass but in reality has not improved your security at all because anyone who compromises the host will be able to access the data anyway.

  30. Daniel Bower

    Surely she has to go...

    Interviewer: was the data encrypted?

    Dildo: honestly? I don't know...

    That alone should seal her fate for two reasons:

    One for not knowing and two for not categorically being able to say yes.

    As to her comment that all companies face these threats day in day out. Yes they do but most, particularly at companies of this size, so so much better at dealing with them...

  31. achillesneil

    I reckon they they have stolen all the personal data, but probably not the bank account details.

    I had a new TalkTalk line put in a couple of weeks ago, hardly gave anybody by new phone number, and I just had a scam call. Somebody phoned me up asked for me and said he was calling from TalkTalk, asked me, he knew my exact name, then asked me to confirm my name and User Id. I said if you already know my name, why they hell are you asking me that question. Then he hung up.

    I hope they salted our bank details. Or else this will be a major f**k up of all proportions. Even I know how to minimise SQL injections.

  32. Maldax

    Firewall Bank Accounts

    I think its getting to the time to have a firewall back account. With just enough in it to pay these F***wits as no one seems to be able to protect even basic information!

  33. Duffaboy
    Joke

    To Quote the It Crowd

    Jen (Dido): With all due respect John, I am the head of IT and I have it on good authority that if you type "Google" into Google, you can break the Internet. So please, no one try it, even for a joke. [the executives laugh] It's not a laughing matter. You can break the Internet.

  34. Youngdog

    As a customer of these clowns

    The only thing they're going to get from me is I watch a lot of Black Books and The IT Crowd. These idiots couldn't even get my mobile number right.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like