back to article TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

TalkTalk continued on its quest to be painted merely as a victim of crime today, while the budget ISP's website remained offline following a huge attack on its business earlier this week. In an interview with the Sunday Times, Harding said that her company was under no "legal obligation" to encrypt sensitive customer data, …

  1. Fullbeem

    Holy sh*t. They have no legal obligation to encrypt customers data!!

    Can see the CEO and CIO losing their jobs and Talk Talk being taken to the cleaners.

    Surely the data protection act must have something they can pin on them here about protecting the data they hold about their customers.

    1. a_yank_lurker

      It probably depends on the interpretation by the regulatory agencies. Often times business will do exactly or a little more than the regulatory agencies require whether or not it makes an moral or ethical sense. The Titanic actually carried an excess lifeboat capacity than required by the UK Board of Trade when she sailed in 1912. Obviously the regulations were outdated and inadequate. Probably have the same situation here; obsolete regulations being enforced with out review or revision. They will stay enforce until a massive enough breach forces regulatory or statutory changes.

      1. Alan Brown Silver badge

        "The Titanic actually carried an excess lifeboat capacity than required by the UK Board of Trade when she sailed in 1912"

        The irony there is that as originally designed the Titanic/Olympic had enough lifeboats for everyone, but they were deleted because they "spoiled the lines of the ship" and because it was felt that many lifeboats would make the upper-deck passengers uneasy.

        TalkTalk has never had enough security in place or planned. Even a cursory glance at the issues of outsourcing and the vulnerabilities it exposes the company to (lowly paid workers being paid off by gangs to leak data, etc) shows that they're not paying attention to anything except pennies coming in the door.

        Security has _always_ been regarded as a cost centre until it's too late. "No return on investment" rules supreme and there's no such thing in business as "Cost Of Not Investing"

    2. jonathanb Silver badge

      Encryption is only effective if the key is secure. If the system needs access to the data so that customers can view their accounts and change those details they are allowed to change, for example the bank or card they want to use to pay their charges, the billing system can allocate charges to the correct place, and the collection system can collect the money every month, I'm not convinced that encrypting the data would help that much.

      1. Adam 1

        Whilst key management is the Achilles heel of encryption systems, it does remove a lot of attack vectors like second hand hard drives and lost backup tapes. Even if they are legally in the clear, a breach like this can take down a company. Setting aside the ethical constraints of caring for your customers' data, it is at the lowest common denominator still a good idea.

      2. itzman

        Re: encryption doesn't help?

        The point is really whether the database itself is compromised, or the code that accesses it.

        If the database is compromised but the codebase is secure, then keys in the code are secure, and the database is worthless.

        It is even possible to locate the key somewhere else in a hidden file so that even if the code is known, the key is not.

        Nothing is secure on a rooted machine, but a lot can be made secure on a machine that is not rooted. But is still hacked.

        The point about SQL injection is that it exposes some or all of the tables, not the code base or the machines total file system

        1. Kubla Cant

          Re: encryption doesn't help?

          The point is really whether the database itself is compromised, or the code that accesses it.

          I was staggered to hear that this is apparently a SQL injection attack. FFS, it's 2015, and a major web site that handles personal financial details is vulnerable to an attack vector that was old news in 2005.

          I can sort-of see the point about no legal obligation to encrypt. Most of the information they hold is strictly speaking public. Your name and address are on every letter you receive, your card numbers are available to anyone you pay using a cut-out coupon or old-fashioned card machine, your bank details are on every cheque you write.

          In the days of paper transactions, none of this really mattered. Nowadays this public information is supposed to be kept secret. It's security by obscurity on a global scale.

          1. LucreLout

            Re: encryption doesn't help?

            @Kubla Cant

            I was staggered to hear that this is apparently a SQL injection attack. FFS, it's 2015, and a major web site that handles personal financial details is vulnerable to an attack vector that was old news in 2005.

            It has been old news for rather longer than that. Unfortunately, we as an industry continue to have inexperienced developers with planet sized egos, which reduces the opportunity to apply collective industry knowledge correctly. Couple that with low skilled offshorians, low skilled management, and its a recipe for unending disaster.

            I can sort-of see the point about no legal obligation to encrypt. Most of the information they hold is strictly speaking public. Your name and address are on every letter you receive, your card numbers are available to anyone you pay using a cut-out coupon or old-fashioned card machine, your bank details are on every cheque you write.

            Yes, sort of, but how many people have that data in one place? Taking that data and exposing it to every tech savvy miscreant around the globe is rather different to the risk of Dodgy Dave intercepting my mail. Especially since in this case taking the risk is needless - its purely a compentency issue or a penny pinching one.

          2. Adam 1

            Re: encryption doesn't help?

            > I was staggered to hear that this is apparently a SQL injection attack.

            Er, you may not want to check out the OWASP top 10.

            The worst part of most* SQL injection attacks is that you can use Google to find web pages that are build with frameworks that don't support paramaterised queries. Once you find one, there are programs that automate the data extract.

            * OK, I can't prove this represents most, but it is tremendously easy to find and there are a lot of them.

    3. LucreLout

      @fullbeam

      Holy sh*t. They have no legal obligation to encrypt customers data!!

      She is in all probability correct, purely from a legal standpoint.

      I would expect that her customers could make a reasonable case of breach of contract, due to her company not securing their data in line with reasonable expectations (you will be hacked, your data will be leaked, the only thing you can do about it is encrypt it properly), and walk away from their contracts.

      TalkTalk will make much sound a fury about not being able to do so, but lets face it, they can't sue everyone, and if they start affecting your credit rating, you suing them will in all likelyhood produce a swift settlement.

      I've been down this road before with a mobile provider (not Talk Talk, and not due to data leaks), and the issue was resolved, firmly in my favour, within 3 weeks of issuing court procedings.

      1. Vic

        I've been down this road before with a mobile provider (not Talk Talk, and not due to data leaks), and the issue was resolved, firmly in my favour, within 3 weeks of issuing court procedings.

        I've been down this road with an ISP. After much bluster, they sent me a cheque a couple of days before we were due to go to court...

        Vic.

    4. TheVogon

      ""It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper. "We have complied with all of our legal obligations in terms of storing of financial information.""

      Let's see what the Data Protection Registrar has to say about that!

      "But the company did reveal that some credit card information had been snatched."

      If they in anyway stored the 3 digits from the back of the card then they broke PCI-DSS rules - which are a legally binding contract.

    5. Oh Homer
      Terminator

      TalkTalk "Doing a Ratner"

      Even if it's true (which I sincerely doubt), existing (and potential) customers won't especially care that TalkTalk isn't "legally obligated" not to be a bunch of cowboys, and will vote with their wallets.

      The cavalier attitude alone will probably send them running for the hills, if not the security risk itself.

      Personally I've always suspected that any company that spams as aggressively as TalkTalk is highly dubious. This is merely confirmation.

      Goodbye TalkTalk.

      1. Alan Brown Silver badge

        Re: TalkTalk "Doing a Ratner"

        "Personally I've always suspected that any company that spams as aggressively as TalkTalk is highly dubious."

        Virgin are still dumping stuff in my mailbox despite being served with legal notice to cease and desist. Make of that what you will.

    6. Alan Brown Silver badge

      "Surely the data protection act must have something they can pin on them here"

      There is. Losing personal data exposes them to _private_ legal action - and the court of appeal has upheld that claims can be for distress as well as actual monetary losses.

      If 40,000 people all sue for £500 each, it'll make the ICO fine look like peanuts, just in the legal bills TT will run up, let alone the actual settlements.

  2. John H Woods Silver badge

    Does there need to be an obligation to "encrypt" ?

    "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

    --- UK Data Protection Act

    In what way is that not an obligation to encrypt?

    1. Warm Braw

      Re: Does there need to be an obligation to "encrypt" ?

      I was about to make a similar point. If you're predominantly a paper-based organisation, it might be acceptable to store your sensitive documents at the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying beware of the leopard. However, if you have electronic data on 400,000 people who have recently undergone credit checks it's hard to imagine any effective technical measure that did not include encryption.

    2. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: Does there need to be an obligation to "encrypt" ?

        No, the ICO will decide because it will never come to court. It isn't just the encryption but the other things - is this the third time this year customer data has been stolen?

        My guess is that the ICO will slap nearly their maximum half a million pound penalty on Talk Talk with 20% discount if they pay within 30 days. This is a trivial penalty for a corporation that size and they will instantly pay because their top priority is to kill the news story.

    3. Doctor Syntax Silver badge

      Re: Does there need to be an obligation to "encrypt" ?

      Irrespective of what constitutes "appropriate", given the circumstances, it must surely be difficult to argue that whatever measures were taken met the criterion.

      1. Destroy All Monsters Silver badge
        Windows

        Würst effort!

        Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

        1) Database has password

        2) Backups exist

        3) Monthly audit that access is not done by Rogue Sysadmin and stuff is not being used for spamvertisements

        4) Someone is called "Security Officer"

        FULFILLED!

        1. Anonymous Coward
          Anonymous Coward

          Re: Würst effort!

          Where did you get our Data Protection Act compliance statement from?

    4. Proud Father

      Re: Does there need to be an obligation to "encrypt" ?

      PCI DSS

      https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

      They could be punished by Visa/Mastercard and have their credit card acquirer status removed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does there need to be an obligation to "encrypt" ?

        For those on direct debit.... perhaps it is time to change banks? There is also a lot to be said for having a single use code for each new DD transaction rather than churning out full account details to companies that store all your data in so reckless a manner. Direct Debit v2.

        1. Anonymous Coward
          Anonymous Coward

          Re: Does there need to be an obligation to "encrypt" ?

          You might also advise your mother in law to change her maiden name

          1. damian Kelly

            Re: Does there need to be an obligation to "encrypt" ?

            I never used my mothers maiden name. It was a shade embarrassing to tell the bank that my mothers maiden name was "Mother Fucker Cunt" when authenticating on the telephone banking. It never occurred to me they would use the same string for internet banking as telephone banking........

      2. Gordon 10

        Re: Does there need to be an obligation to "encrypt" ?

        PCI-DSS only covers credit cards so Talk Talk are technically correct about not having to encrypt Bank Account details. I suspect however they are going to be part of the case law that leads to Bank account details being encrypted as "reasonable" under the data protection act.

        1. Anonymous Coward
          Anonymous Coward

          Re: Does there need to be an obligation to "encrypt" ?

          PCI-DSS are the set of requirements used by visa and mastercard, which includes debit and credit cards. The requirements vary depending upon what you are doing with the card data.

          Card holder data needs to be protected, card holder data is card number, cvc2 and expiry, name address etc if accompanied with any of the actual card data, along with track data and pin if you are in card production (what I am, along with fraud detection).

          Card holder data needs to be encrypted, allowed encryption and minimum key lengths are provided in the PCI-DSS requirements. The card number itself can be tokenised, allowing processing to be done with the tokenised card number, along with a partial card number so that the card type and which card (for end user) can be recognised. This token then can be used when payment processing is required by a separate system.

          Key encryption keys are to be stored securely for example within an HSM.

          Card data should only be decrypted when needed. Full card number should never be visible to any user.

        2. Alan Brown Silver badge

          Re: Does there need to be an obligation to "encrypt" ?

          "PCI-DSS only covers credit cards"

          There are similar rules in the banking sector covering direct debits. I suspect TT's financial side are going to find their nuts gently roasting in a fire before christmas.

    5. Richard Jones 1
      WTF?

      Re: Does there need to be an obligation to "encrypt" ?

      Fortunately there is no obligation to use Talk Talk.

      1. Omgwtfbbqtime
        Holmes

        "Fortunately there is no obligation to use Talk Talk."

        SWMBO and I are moving house soon - to an area not serviced by Vm. (Had very few problems with Vm over the last 10 years - YMMV).

        We are actively considering (trying to work out who will shaft us least) between the major TV/BB/phone suppliers left.

        TalkTalk are now definitely off the list.

    6. Adrian Midgley 1

      In what way do you assert that excerpt requires

      encryption?

      Or indeed any specific technical approach.

      As remarked above, the system contains the data must also contain a means to access the data.

      As remarked elsewhere, when we think encryption is the answer we probably do not destined encryption, or our problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: In what way do you assert that excerpt requires

        Given that PCI compliance specifically requires encryption and is the industry standard (and contractually demanded by visa/mastercard). I think they will have a hard time claiming that anything less was 'appropriate'.

      2. itzman

        Re: In what way do you assert that excerpt requires

        Just because there is a way to access the data, doesn't invalidate encrypting it. I.e. the ability to access your OWN data does not mean you can access everyone elses.

        What good encryption does is to ensure that someone who copies the entire database alone cannot get access to reams of data.

        However there is a downside to encrypting all of the customer data. SQL queries no longer work on fields that are encrypted.

        And if you build the ability to search the encrypted database into the SQL level, then once again you are vulnerable to SQL injection.

        1. Freimer

          Re: In what way do you assert that excerpt requires

          There are products that offer searchable encryption. And, just because you are theoretically vulnerable to SQL injection does not mean you actually are. It has been a very long time since the ability to protect against SQL injection was widely known. It is only lazy or incompetent web developers that don't know how to properly validate user input and quote data that are still vulnerable.

          Searchable data masking and SQL injection sound like excuses to me...

    7. ThorWarhammer

      Re: Does there need to be an obligation to "encrypt" ?

      When you 'read between the lines' & it doesn't say encrypt, so you stoop to level of total douchebaggery and don't encrypt it, thus blaming the powers that be for not stipulating,"thou shalt encrypt, your clients sensitive data"

      and blame a DDOS attack for the loss, remain utterly clueless and worry about the share price not the punters you serve

      Thank Drokk I am not and have never been a talk talk customer

    8. gnasher729 Silver badge

      Re: Does there need to be an obligation to "encrypt" ?

      That UK Data Protection Act is not an obligation to encrypt - it is an obligation to take appropriate measures, which clearly Talk Talk failed to do. They are free to store customer data on unencrypted punched cards, stored in a room guarded by two guys with machine guns. That would seem safe to me.

      1. Terry 6 Silver badge

        Re: Does there need to be an obligation to "encrypt" ?

        As long as the guards aren't outsourced and haven't come from one of those companies that provide fake credentials.

      2. just another employee

        Re: Does there need to be an obligation to "encrypt" ?

        It is very easy to throw bricks through windows here. What we really need is an expert to define some things....

        ..what encryption ? algorithm?, key length? protocols?

        ..and implementations that would actually use of the data that is encrypted ? - user access controls? key management security? multi-user access (in a world of web many users per one application is common you know)...

        Just saying.

        I am not defending Talk Talk as I do not know the full attack vector.

        However,

        Is it the drivers fault if the car manufacturer allowed a faulty batch of emissions control modules to be installed ?

    9. Anonymous Coward
      Anonymous Coward

      Re: Does there need to be an obligation to "encrypt" ?

      Kinda sorta like "Obviousness" to a "Practitioner of the Art" in patent law here. It's patently obvious (tongue firmly in cheek) that effective encryption and ACL's should be involved in any solution that comes from these hands but... It's for a court to decide.

    10. Grimsterise

      Re: Does there need to be an obligation to "encrypt" ?

      It is if you would rather spend money on lawyers than your IT.

    11. Anonymous Coward
      Anonymous Coward

      Re: Does there need to be an obligation to "encrypt" ?

      That in absolutely no way translates to an obligation to "encrypt"? This is much more to do with internal policy on access to data and how the public facing components are designed using industry standard methods to protect from unauthorised access to the data. If they have breached this it would be lack of policy or evidence suggesting they did not apply appropriate methods of protection to their public facing servers. I do believe that the bank details should have been further protected, however I would struggle to agree with any legal conviction based on this. Bank details are not covered by PCI-DSS.

      1. Phil_Evans

        Re: Does there need to be an obligation to "encrypt" ?

        Correct - but I believe that there IS a requirement to encrypt Credit Card details and if it is the case that these were un-salted in file storage, then the PCI sphincter police will be all over them come audit time.

        The technicalities in my mind matter little. This is the equivalent of me putting my most valued possessions in the porch of my house and hoping that the very standard Yale lock never gets picked. Talk Talk deserve everything they get from this since 3 times in 1 year IS criminal in the eyes of compliance police.

        1. Anonymous Coward
          Anonymous Coward

          Re: Does there need to be an obligation to "encrypt" ?

          Of course it wasn't encrypted, only terrorists and pedophiles use encryption. The gubbinment said so.

  3. This post has been deleted by its author

    1. Doctor Syntax Silver badge

      "Technically, TalkTalk are a victim of crime."

      Hmm. I need to think about this. How bad do things have to be before they can be considered an accessory to the crime and not one its victims?

      1. itzman

        Re:Technically, TalkTalk are a victim of crime.

        And possibly criminal negligence. Not accessories, unless the code was deliberately written to be hacked

    2. allthecoolshortnamesweretaken

      Optimism, possibly somewhat misplaced

      "[...], and customers, both past, present, and future [...]"

      FUTURE customers?

    3. David 77

      Are they going to change their slogan to "It's good to talk, it's better to do the absolute minimum"?

      1. Stuart Halliday

        Love to hear any Talk Talk IT Engineer try to get a new job after this example of blundering IT.

        1. allthecoolshortnamesweretaken

          Well, the BOFH needs a new Boss every now and then...

        2. circusmole

          With respect...

          ...@Stuart Halliday. This is most likely absolutely nothing to do with any "Talk Talk IT Engineer". The fault lies with the senior technical management and the Board for not ensuring that the appropriate policy, procedures and technology was put place that enabled the "Talk Talk IT Engineer" secure the customer data. The senior technical management and the Board should also put in place a mechanism and review cycle that checked that the policy and procedures were effectively implemented.

          This is no fault of the guys at the coal face - it is a management failure.

    4. Donchik

      TalkTalk appear to be more "Victims of Stupidity"

  4. Ian Bush

    No Legal Obligation To Shut My Front Door

    I have no legal obligation to shut and lock my front door, that doesn't mean it's not at least partially my fault when I leave it open and get burgled

    1. Mark 85

      Re: No Legal Obligation To Shut My Front Door

      Exactly. Not locking the front door, leave the car unlocked, or leaving a pile of cash on the front porch.. no legal requirement to keep it secure. However, that doesn't make you a victim when it's robbed. It makes you an idiot if you always do, or merely careless if you forgot.

      Clearly, this company is managed by idiots. If I were a customer, I'd be killing my account and changing banks (move the money just in case the crooks got the account numbers) and whatever else it took.

      1. John Brown (no body) Silver badge

        Re: No Legal Obligation To Shut My Front Door

        "If I were a customer, I'd be killing my account and changing banks (move the money just in case the crooks got the account numbers) and whatever else it took."

        ...and if/when 1000's of people change banks, and the bank asks them why, do the banks have some grounds to sue Talk Talk for loss of business?

    2. Old Handle

      Re: No Legal Obligation To Shut My Front Door

      And no one should tell you you can't live that way if you want to... unless you're storing valuables that belong to other people. In that case it would seem you bear some of the responsibility when their stuff gets stolen.

  5. James 51

    When people say the boss has done a Ratner you know what they mean. What are the chances she's just done a Harding?

    BTW, announcing to the world you've no legal obligation to be competent is not the greatest advertisement I've ever heard.

    1. Anonymous Coward
      Anonymous Coward

      "BTW, announcing to the world you've no legal obligation to be competent is not the greatest advertisement I've ever heard"

      No, but it is kinda funny ..... :)

    2. fajensen

      Nevertheless, it's true. Modern leadership is nothing more than a meat-wall, disposable bodies that are there mainly there soak up an infinite amount of "bullets" and cloud the waters so the attacks don't disrupt the soft and squishy core of the (machine-driven) business.

  6. David Pollard

    Duty of Care?

    Perhaps a legally trained commentard could correct me if I'm wrong, but isn't there a general duty of care when a business interacts with customers and members of the public?

    1. Anonymous Coward
      Anonymous Coward

      Re: Duty of Care?

      In the absence of another answer:

      'm not legally trained but I do know what's in the Sale of Goods Act, and its Services follow on. Both have recently been incorporated into a more recent Act whose name I forgrt.

      In a sale in which a consumer (ie not a business) buys services from a business (which presumably includes most of TalkTalk's customers though not necessarily most of the revenue), those services must by law be provided "with reasonable skill and care" (those are the magic words).

      I'd hope that the number of recent occurrences, and the scale of the damage involved, would be sufficient to make it clear that TT have not been using "reasonable skill and care".

      Now unfortunately breaking the Sale of Goods Act doesn't get the (ir)responsible senior management locked up (after due process, obviously). That needs something else.

      1. Alan Brown Silver badge

        Re: Duty of Care?

        "Now unfortunately breaking the Sale of Goods Act doesn't get the (ir)responsible senior management locked up (after due process, obviously). That needs something else."

        "Operating recklessly" should do the trick and fits the bill.

        Imagine comrade Dido finding herself banned from being on any boards for the next decade.

  7. Headley_Grange Silver badge

    Encryption Regulation

    I'm not an expert in data protection and encryption methods, but I have a slight concern that regulation regarding encryption might not necessarily make things better. An analogy is the password problem. Ideally I'd like a completely free-form password with no limitation on length, type of character, etc. This makes it easy for me to generate gobbleygook passwords that I can easily remember. As soon as a site says "must be 6-8 characters, have at least one capital letter and one number" then it's a PITA and you can bet dollars to doughnuts that for many users the first letter will be a capital and the last letter will be a "1". This must make it easier to attack.

    Clearly, organizations which collect details which might allow me to be robbed or scammed should protect those details. They can do this in a number of ways - which might or might not include encryption, but if the government passes regulatory standards the risk is that companies will emerge to sell off-the-shelf, standard solutions and I fear that this could make them easier to crack because the crims will know what to look for. Also, once cracked, then all the users of a particular system will be cracked.

    I guess some basic principles along the lines of "don't keep your bank card and cheque book in the same wallet" might help, but I'd be wary of anything too prescriptive in terms of technology.

    1. Anonymous Coward
      Anonymous Coward

      Re: Encryption Regulation

      There exists terabytes of rainbow tables that are keyed to certain password requirements, so your not wrong about regulatory requirements making the cracking easier. Me? I'd just set my personal supercomputer to create a tailored one off set, not that I'd do anything like that.

    2. John Brown (no body) Silver badge

      Re: Encryption Regulation

      "I have a slight concern that regulation regarding encryption might not necessarily make things better"

      Knowing UK lawmaking and regulators wooly wording, ROT13 would probably satisfy any encryption requirements set out in legislation.

      1. David Haworth 1
        FAIL

        Re: Encryption Regulation

        Nobody would consider ROT13 to be effective (I hope).

        It would have to be at least Double-ROT13.

  8. Lee D Silver badge

    Someone really needs to:

    a) Read the Data Protection Act

    b) Review the case law (so even if the DPA doesn't say it explicitly, the courts have already ruled that NOT encrypting is failing to reasonably protect data)

    c) Check out the ICO's own advice pages that have said things like this for years, under the various recommendations etc. sections:

    "The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued."

    d) Card details, especially, should be encrypted to be PCI DSS compliant. You are PCI compliant, yes? Of course. Because not being able to take money when they stop you processing cards will hurt your business more than any data leak would on its own.

    e) Get off your butt and encrypt things anyway, just as a normal part of corporate IT.

    P.S. The latest DPA has PERSONAL LIABILITY for protecting data. Failing to encrypt, if that would be considered a reasonable measure for the data (hint: Yes, it would) could well see you before court, especially if you're an IT guy who has responsibility for such things or (worse) you're the named data controller.

    DON'T WHEEDLE YOUR WAY OUT OF THIS.

    1. Mark Talbot

      As far as i was aware you were not allowed to handle any banking transactions without being pcidss compliant and whilst quite loose that does state that at rest data must be strong encrypted and that the keys mustn't be known to anybody with access to the source to decode it. So this sounds like the usual clueless executive who doesn't actually understand the regulations that their supposed to implement.

      1. Anonymous Coward
        Anonymous Coward

        PCI-DSS covers "Payment Cards" (clue is in the name) rather than Direct Debit / Bank Account / BACS data.

        At rest encryption (e.g. in database tables or the file-system) is a PCI-DSS requirement (along with data transfer encryption) ... all good stuff but if your website application does not correctly parse ALL its input (defensive programming etc) and allows SQL code to be injected and passed to the DBMS then it could defeat all the encryption because it is going through the appropriate business logic and pulls out the data through the correct in-memory decryption routines (so no need to hack the keys).

        There should however be access controls implemented to make the web front-end less trusted to the database than the backend financial processing systems. For example, although credit-card and/or Direct Debit details can be WRITTEN to the database when a user updates their details, there is NO good reason to allow the front-end to READ the WHOLE of the details back, only partial details (e.g. a masked copy in a different table) need be shown back to the user. Having the web front-end mask the full details is not good enough.

    2. jonathanb Silver badge

      The encryption cases relate to stolen laptops. Some people think that if the laptop has a password, it is secure. It isn't. Either boot up the laptop from external media or take the drive out of it and connect it as a secondary drive in another machine. You then don't need a password to access the contents.

      Where the data is stored on a server in a server room or data centre with physical access controls, then it is a bit different.

      1. macjules

        Unfortunately that does not work with many encrypted computers these days. With a proper encryption system (FileVault on OS X for example) all data is locked and inaccessible to anyone without the correct secure key.

        1. jonathanb Silver badge

          That's the difference between encryption and password protection.

          However, if you get remote access to my MacBook while it is turned on and logged in, FileVault is not going to stop you getting at anything.

    3. Probie

      Insurance may not pay out.

      I wonder if the Company Insurance will pay out to Talk Talk? I know (and using the analogies of cars and houses already provided) failure to secure the property by "locking it" and by adding extra security measures is enough for the insurance company to avoid paying out.

      Perhaps the best way to enforce good behavior is to have the terms and conditions of Insurance changed, rather than legislate.

      1. Terry 6 Silver badge

        Re: Insurance may not pay out.

        I was also thinking about the unlocked door analogy (above).

        If I fail to have and secure my front door with the required 5 lever lock, or leave a window open, or keys in the car, my insurers will be able to walk away from my claim.

        Yes, I should be able to leave my front door unlocked and let the neighbours pop in to borrow a cup of sugar when I'm out.

        But I don't think it would be such a good idea in real life.

  9. Inventor of the Marmite Laser Silver badge

    What happened to

    Duty of Care?

    Talk Talk is (supposed to be) a professional company operating in the IT arena and, as such, should have been perfectly well aware of the risks by taking the decision not to encrypt data..

    1. Anonymous Coward
      Anonymous Coward

      Re: What happened to

      Talk Talk is (supposed to be) a professional company

      Don't make me laugh, I might choke! TalkTalk are a bunch of piss pot incompetents, whose idea of customer service is a third rate offshore call centre, who have outsourced even their own recruitment, and whose chief executive is one of the most scandalously over-paid people in this country. Failure to encrypt customer data, and then to say "there wasn't a law saying we had to" is disgusting.

      I did briefly have some sympathy for Ms Harding, but that's just evaporated. Stupid, inept cow, and her stupid inept fuckwit colleagues deserve to be taken to the cleaners.

      1. Inventor of the Marmite Laser Silver badge

        "TalkTalk are a bunch of piss pot incompetents,"

        Come on, they haven't improved THAT much!

    2. dajames

      Re: What happened to

      Talk Talk is (supposed to be) a professional company operating in the IT arena and, as such, should have been perfectly well aware of the risks by taking the decision not to encrypt data..

      Unfortunately, being "a professional company" is no protection from incompetence.

      The TalkTalk we're talking about here is a company that doesn't support SSL connections to its mailservers, for instance, even though other ISPs increasingly mandate SSL. It's hard to believe that they have any clue at all when it comes to security.

      See, for example: http://help2.talktalk.co.uk/email-settings-imap-pop3

      (It says there that they don't support SSL on outgoing connections, but that they use port 587, which is usually used for secure SMTP rather than port 25. WTF?)

      I also noticed, recently (don't ask why) that a TalkTalk mail server negotiated an SMTP connection to another ISP's server using SHA-1 and RC4, both of which are deprecated and insecure. It's not the fault of other ISP (which happened to be AOL, so not a paragon itself) as they happily negotiate encryption using SHA256 and AES256 with other ISPs.

      TalkTalk really seem to have no clue at all.

      1. planetzog

        Re: What happened to

        The Ark was built by amateurs. Titanic was built by professionals.

  10. Anonymous Coward
    Anonymous Coward

    Rebranding exercise

    Dear Customer, welcome to your rebraded new ISP: Shut up & Pay Pay.....

  11. Commswonk

    MBA "Qualification"

    Not being an MBA myself I can only assume that there is a module called Complacency 101 that has to be passed in order to graduate. The indifference this woman is displaying towards those who might be affected by her company's stupidity is utterly jaw - dropping.

    What seems to be clear is that there is no module relating the the Law(s) of Holes, the first of which (for anyone who doesn't know*) is that When you find yourself in a hole, stop digging.

    I for one hope that this does turn out to be a Ratner moment because it is high time that arrogant management was properly rewarded for its actions, or lack of them as the case may be.

    I also hope that other organisations are running around making doubly sure that their systems are adequately protected, but that may be a hope too many. Any sane senior management team should be thinking "There but for the Grace of God..." and making certain that they are less reliant on divine intervention and more reliant on more earthly mechanisms.

    *Unlikely on this forum!

    1. Anonymous Coward
      Anonymous Coward

      Re: MBA "Qualification"

      Not being an MBA myself I can only assume that there is a module called Complacency 101 that has to be passed in order to graduate.

      Having an MBA myself, from one of the world's top business schools, I can assure you that there isn't. An MBA is like any other qualification - it requires a relevant degree of intelligence, application, hard work, and usually some prior qualifications, but it isn't a test of propriety, and as far as I know there's no qualification that stops somebody choosing to act like a fuckwit.

      1. Warm Braw

        Re: MBA "Qualification"

        Having an MBA myself, from one of the world's top business schools

        I applaud you for coming out in this public forum :)

        It does seem there is a propensity for MBAs to believe they have sufficient qualification for running a business of any kind and that knowledge of what we might call "the business of the business" (i.e. what it actually does and how it does it) isn't really necessary - that's all just tedious process that can be left to the drones on the lower floors. Intelligence, application and hard work cannot substitute for an understanding of what your business does, the technology that enables it and the regulatory environment that constrains it.

        I'm afraid Ms Harding appears to fall into this category of MBA and is probably even now rehearsing Dido's Lament:

        When I am laid, am laid in earth, May my wrongs create

        No trouble, no trouble in thy breast;

        Remember me, remember me, but ah! forget my fate.

        Remember me, but ah! forget my fate.

        1. Anonymous IV

          Re: MBA "Qualification"

          @Warm Braw:

          +1 for quoting from Purcell's Dido and Aeneas.

          There aren't enough references to Early Music in El Reg...

        2. Anonymous Coward
          Anonymous Coward

          Re: MBA "Qualification"

          It does seem there is a propensity for MBAs to believe they have sufficient qualification for running a business of any kind

          You confuse cause and effect. An MBA is a piece of paper that shows you've completed an accredited training programme. As such it is similar in concept to an IT course, or an NVQ in cleaning.

          Your logic comes across as "I've met a few people with MBAs, they were arrogant, ignorant and incompetent, so many/most/all other MBAs will be the same". That doesn't seem very scientific nor likely to be a statistically valid sample, and to assume that the people concerned behaved this way because they have an MBA seems to be a matter of wanting that to be the case universally, because you are unhappy with your experience of a small number of people.

          As an MBA is a qualification aimed at middle and senior managers, it is at risk of attracting self important twits, but when I did mine, every course member came from a functional background, with the knowledge and experience to prove it. Sales, finance, IT, operations, logistics etc. And the MBA I was taught was specific that it wouldn't make us experts in anything, rather that it would teach us the limits of our own knowledge, with sufficient education to hold a sensible conversation with those who really did know their stuff in other business areas.

          Now, as with any qualification, if somebody's a complete ****, they can still earn a qualification, but at the end of it they'll still be a complete ****. But its very unlikely that the qualification made them a ****. I suspect that if you've experienced poor standards of MBA qualified managers, that is probably more representative of severe organisational culture problems than evidence of a problem with the MBA (or any other qualification).

      2. Steve 114
        Headmaster

        Re: MBA "Qualification"

        MBAs merely think they can rule the company without effort. It is PPEs who just know they can rule the universe simply by using their trusted contacts.

    2. Anonymous Coward
      Anonymous Coward

      Re: MBA "Qualification"

      I also hope that other organisations are running around making doubly sure that their systems are adequately protected

      Forget it. Not related to ISP, but I know our infosec is a problem. Well, I'm nearing burn-out, my boss has okayed the request of C-bods for me to do important work by Tuesday while I was away, completely "forgetting" that my team of 2 part-timers and my lowliness have several "high priority" projects of about 2-4 man*month (each) going to which we "couldn't say no because we have to shine" and which must be finished by ... oh, last week or so. Couldn't care less about infosec, they can nail the customer database to the nearest mast for all I care.

      Anon, obviously.

      1. Alan Brown Silver badge

        Re: MBA "Qualification"

        "my boss has okayed the request of C-bods for me to do important work by Tuesday while I was away, completely "forgetting" that my team of 2 part-timers and my lowliness have several "high priority" projects of about 2-4 man*month (each)"

        I guess being signed off for 3 months medical stress leave wouldn't go down well then.

    3. Anonymous Coward
      Anonymous Coward

      Re: MBA "Qualification"

      the hole is getting soooo much deeper. TT are now trying to charge people that want to (and quite rightly) leave and move to another supplier a leaving fee. Honestly what a total shower

    4. Stoneshop
      Pirate

      Re: MBA "Qualification"

      What seems to be clear is that there is no module relating the the Law(s) of Holes, the first of which (for anyone who doesn't know*) is that When you find yourself in a hole, stop digging.

      What often happens is that they would consider the effort already expended to be wasted when aborting the hole, combined with the possibility that there might be something valuable to be found further down (oil, valuable ores or gems, or simply a pirate's hidden treasure) and the digging continues unabated.

  12. Steve Davies 3 Silver badge

    Coming Very Soon to TV

    droves of adverts from Ambulance Chasing Scumbags(Lawyers) offering class action suits against T-T.

    It is a shame really. The T-T CEO could have done the right thing but no she didn't.

    So, for once I am on the sides of these Shysters. Go on boys take the everything that they have got left once the ICO has finished with them

    And for the rest of you ISP's out there. Get you own house in order and hey, who knows you might pick up a load more subscribers if you can prove that your systems are not subject to the same sort of vunerability as T-T. Encrypt all our data as a matter of normality. You could even use it in your advertising!

  13. Anonymous Coward
    Anonymous Coward

    Oh dear, oh dear, oh dear.

    This is a Ratner, Osborne, Ballmer, you name it CEO bollocks up of huge proportions.

    A rare moment here folks as we have just witnessed the birth of a new CEO corporate cock-up noun.

    A Harding.

    I expect Mr Dunstone will have signed the execution papers already, a clear failure to follow Healey's First Law of Holes - When you find yourself in one, stop digging.

    Edit,

    Just read a few of the other comments and everyone seems to think the same.

  14. Alan Sharkey

    BAE?

    I wasn't aware that British Aerospace was a leading specialist in security for IT. From their website:

    "BAE Systems tactical analysts work alongside warfighters around the world to provide them with the insight they need to successfully complete their missions. "

    Which part of this does the TT CEO think she is in?

    1. Commswonk

      Re: BAE?

      This bit, probably: http://www.baesystems.com/en/what-we-do/cyber-security---intelligence

    2. reghark

      Re: BAE?

      BAE Systems Applied Intelligence, formerly called Detica.

      They do... some sensitive things... in addition to stuff for regular businesses.

  15. Anonymous Coward
    FAIL

    "we have no legal obligation to encrypt customers data"...

    Translation : We'd rather screw our customers than protect them because crap like this costs money and we will do anything to collect our bonusses...

    1. John Brown (no body) Silver badge

      Re: "we have no legal obligation to encrypt customers data"...

      Although I'm REALLY not defending TT, this is all really a result of the race to bottom on ISP pricing. People want the cheapest shit they can get so they get sold the cheapest shit available.

      1. TheOtherHobbes

        Re: "we have no legal obligation to encrypt customers data"...

        Hardly. I wouldn't call consumer broadband contracts "cheap".

        Even if they were, it's still no excuse for being yet another corporate space-hopper head who has no idea what they're doing.

        Appallingly clueless but endlessly arrogant management is a problem the world over. This is just another example of a much bigger problem.

  16. frank ly

    Sauce for the goose

    "... 400,000 people who have recently undergone credit checks for new service with the company."

    That's 400,000 people who, sadly, neglected to perform 'best security practice' checks on Talk Talk. However, I don't think there's any way they could do that since we rely on these organisations to police themselves.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sauce for the goose

      frank.ly, saw your Title and thought you were going to suggest if Talk Talk's customers have nothing to worry about, then all of the directors of Talk Talk will publish their own details.

      After all, sauce for the goose .....

  17. Rural area satellite.

    Sounds like a bank claiming that their cardboard boxes can be called "Vaults" or a builder who says his two pieces of wood support a top-floor when building control would not sign the plans..

    Hobby-management by overpaid--wafflers who try to duck and dodge their responsibilities to keep their affairs in order.

    Downgraded from TalkTalk to WaffleWaffle

    1. PNGuinn
      IT Angle

      "Downgraded from TalkTalk to WaffleWaffle"

      Prefer Squark Squark myself, but upvoted anyway.

      Icon because they appear to have no understanding of IT whatsoever (nor for that matter the meaning of plain English).

  18. Anonymous Coward
    Anonymous Coward

    I sincerely hope

    that TalkTalk loses substantial amounts of business over this breach and how they handled the aftermath. Ideally they should cease to exist. Of course that's not going to happen, because somebody further down the food chain will be held accountable, while C-levels operate (everywhere in the world) on a basis of ignorance and/or plausible deniability, which is -frankly- disgusting given that they receive their pay and bonuses on a basis of carrying the burden of responsibility (they only remember that when they can claim credit for something that went okay).

    I mean, if you see the tweets BBC displayed on the News Channel for minutes while discussing the issue... "Can the government not improve the UK firewall to protect us all?"

    Obviously, this "we're the victims here" nonsense is working with the masses of non-IT people. And, wearing my tinfoil hat, this is going to strengthen Gov's attempts to further intrude into our internet consumption (I see Nanny Filter 2.0 coming soon)...

    Given the track record of TalkTalk's security (or lack thereof) -- third time in less than 12 months? -- they should be forbidden to do business until every detail has been investigated.

    Okay, I realise that I sound slightly angry... that's because it's almost Monday, and I'll be begging for budget to improve security again, and again, and again (there's a little bit of TalkTalk happening in every big company until CTO's are held personally responsible for security breaches)...

  19. Frumious Bandersnatch

    weasel words

    As Steve Wright said, "Eagles may soar, but weasels don't get sucked into jet engines"

    I can only assume that Harding would fail to see the satire in the above.

  20. Anonymous Coward
    Holmes

    I'm not a lawyer but...

    Hmm, wheeling out the 'Nuremberg defence' of just following orders may not be that smart for someone who trousers £7m a year.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm not a lawyer but...

      We are not into war crimes yet. Or is Tony Blair in there somewhere?

  21. Anonymous Coward
    Happy

    Ker-ching!

    I used Detica 10 years ago and they were not cheap then; given the pickle TalkTalk is in, rates of £2,000/day and going rapidly upwards would seem certain.

    NB Can I assume everyone stills calls British Aerospace, British WasteOfSpace?

    1. ZSn

      Re: Ker-ching!

      Does any call them anything else? As for Detica - overpriced box tickers seems to be the usual experience.

      1. Omgwtfbbqtime

        Re: Ker-ching!

        Nope always called them Bribes and Expenses

  22. Len Goddard

    beyond belief

    Even if this were true (which I seriously doubt), I cannot believe that anyone could be so stupid as to think that saying so would put the organisation in a better light. Strong encryption is a no-brainer when you are handling sensitive data but time after time idiots fail to do the sensible thing.

    1. allthecoolshortnamesweretaken

      Re: beyond belief

      I have a hunch just how the discussion in the boardroom went at the time... "But, but - if we, like, encrypt all the data on our computer - how will we be able to, like, read it ourselves?"

  23. slightly-pedantic

    mincing words

    This is how TalkTalk admitted they'd handed out bank details in their email:"No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account."

    1. gnasher729 Silver badge

      Re: mincing words

      Well, I don't write checks to criminal hackers, and I don't give criminal hackers banking details so they can pay money into my account.

  24. Anonymous Coward
    Anonymous Coward

    Security standards

    All public companies should be forced to declare whether they encrypt public data, and the security standards they meet. We'll then decide whether legal obligations are important.

  25. Anonymous Coward
    Anonymous Coward

    This interview was One Step Too Far for Dido, it really proves that she is No Angel.

    1. PNGuinn
      Joke

      "One Step Too Far for Dido"

      Sorry - it's late - I read that as "One Step Too Far for Dildo".

      Could you type in a larger font please?

  26. petetp

    That's what happens when an arts graduate with no technical experience gets hired as CEO is it?

    What an outrageous, self-serving comment!

    1. Commswonk

      She also forgot another Golden Rule: It is better to say nothing and risk being thought a fool than to speak up and remove the doubt.

  27. F1Baron

    Security Optiional Customers Optional

    One of those cases where not doing something relative simple and sensible will hopefully be commercial suicide. For the encouragement of others etc. Given their customer service record, they've never been high on my list of service providers, so I'm hardly their target demographic.

  28. Camilla Smythe

    Dido and Perry...

    Have no legal obligation to force their scabby husbands to wear a condom but that's OK coz they gave up on fluid transfer a long time ago.

    ITMT

    Dido and Perry will bend any and all legislation to get what they want and if it goes wrong will use that legislation to come up smelling like clean fannies.. cunts to you Americans.

  29. Anonymous Coward
    Anonymous Coward

    From a Talk Talk email back in Feb

    "At TalkTalk we take your security very seriously and we take numerous measures to help keep our customers safe"

    1. PNGuinn
      FAIL

      Re: From a Talk Talk email back in Feb

      In a word - B******T

      Which is what I always think when I see a meaningless little statement like that. Flashes lots of red lights - as do whalesmog derived organisation catchphrases. And "motivational" pictures on the walls.

  30. Commswonk

    A Curious Anomaly?

    While IANAL there could be a curious anomaly in the way the DPA is written. As someone mentioned much earlier in this thread:

    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.; this is the "seventh principle" of data protection.

    Does "loss" have some special meaning? In normal usage if I lose something it is no longer in my possession, but in this case TT (it must be assumed) still have the data, it's just that someone has downloaded an unauthorised copy of it. Has it, therefore, been "lost"? Has "unauthorised or unlawful processing" occurred within TT or has any such processing been carried out by whoever obtained an unauthorised copy? The really odd thing (IMHO) is that the word "theft" does not appear anywhere in the act.

    If recent events do finish up in court then I fully expect some fancy footwork on the part of TT's legal team trying to demolish any suggestion that TT actually did anything wrong, and that might be fun to listen to; I just hope that any such argument is thrown out.

    Might be worth stocking up the pop corn and fizzy drinks... the low sugar variety of course.

  31. Dick Emery
    Gimp

    No bot heads this week during X-Factor

    Insert witty comment here [ ]

  32. Arthur Kater :-D ☺

    There is also no legal obligation to lock your doors and windows when you're on vacation...

    sigh...

  33. Chozo

    The internet continues to amaze me, I have seen two headed dogs, flying saucers in New York and cats that play the piano and now it looks like I'm going to see a woman insert both feet into her mouth.

  34. Anonymous Coward
    Anonymous Coward

    I read that businesses want protection from cyber crime on the BBC (complete utter bollocks)

    It's called encryption and you have to do it yourself .

    Exactly how do you think the government is going to protect you? Let's take a couple of examples,

    Routes - Where and how do you prove where an attack has come from?

    Russia/China/DPNK - What exactly do you expect the police to do?

    Do they even know how the internet works?

    P.S. it's cats and porn.

    1. Inventor of the Marmite Laser Silver badge

      There are CATS as well?

      1. Anonymous Coward
        Anonymous Coward

        5 of them...

  35. The Boojum

    Looks like they're positioning themselves to take a hard line.

    "We're a victim, we did everything we were obliged so if you want compensation then you'll have to take it up with the attackers. "

    Besides, as a budget ISP, if they pay compensation how will they be able to afford Dido's totally justified and really quite modest salary?

  36. AGOO

    From the TT code of practice- outrage

    Protecting Your Information

    We take protecting your data seriously, and will do our utmost to employ appropriate organisational and technical security measures to protect your against unauthorised disclosure or processing.

    Unfortunately we cannot guarantee the security of transmitting information via the internet.We have tried to create a secure and reliable website and mobile application for our users. However, we have no responsibility or liability for the security of personal information transmitted via the internet.

    http://www.talktalk.co.uk/legal/privacy-policy/?utype=talktalk

  37. Anonymous Coward
    Anonymous Coward

    Prosecution options of the Information Commissioner

    If Talk Talk as a company are prosecuted under the Data Protection Act, the CEO and the board of directors are all potentially in danger of being prosecuted personally as "culpable directors" by The Information Commissioners Office.

    Below is an extract from the ICO's prosecution policy:

    Defendants

    17.

    Where a prosecution is being considered against a body corporate, consideration will be also be given to whether a prosecution is warranted against any individuals in a position of responsibility, such as a director or manager, where the offence was committed with their consent, connivance or attributable to their neglect. Consideration will be given, where appropriate, to the role and responsibilities of the individual, the management chain and the size and structure of the company.

    The full document

    https://ico.org.uk/media/about-the-ico/policies-and-procedures/1882/ico-prosecution-policy-statement.pdf

  38. Anonymous Coward
    Anonymous Coward

    I challenge Dido Harding to publish the same details about herself, that her company has allowed hackers to steal about her customers

  39. Captain Badmouth
    FAIL

    Security tomorrow?

    "Hoping to get the site up and running as quickly as possible, but obviously we will not do so until we are confident that all aspects are as secure as possible."

    Don't hold your breath.

    Twelfth of Never, perhaps?

  40. Anonymous Coward
    Anonymous Coward

    Encryption? It's bad business!

    I work for a bank, hence Anon posting.

    It's easy here to talk of the obligation to encrypt. I'd guess that if TT were storing customer data, including bank data, on a web-accessible front end they have some pretty shabby systems...other have asked why customer data and financial data were not stored elsewhere and only assembled when needed for a single customer view.

    I'm guessing that TT will have a messy architecture and also have not consolidated systems from earlier takeovers. Remember, too, that each of these will have multiple associated test systems. At this point encryption becomes a difficult business: matching logons with customers and finance data for each request across all these systems in an encrypted format, AND being able to do this for each of the different test environments.

    It's an expensive business. Happily the cost of failure is relatively small. My estimate, below, is that they will lose around £40m as a result of this poor management. I'm guessing, too, that the cost to remediate would far outweigh this.

    So, why bother encrypting when the cost of failure is so small?

    Can anyone offer any insight as to why the potential money-making by this company is viewed by the market as only marginally impacted?

    BTW: You bank will only encrypt tiny elements of your card data. You can bet your boots that your details, transactions, marketing information are all in plain-text. Perhaps well-protected but plain text. Oh, and there's not one copy of that customer database, there will be tens of them...each needed to satisfy the need to test thousands of IT changes each month. My view is that making production safe is about five times easier than dev/test!

    COST OF THIS TERRIBLE ERROR

    Potential fine: I think the ICO can fine up to £0.5m

    The value of the company: shares have gone from 268p on Thu to 264p on Friday: the company is now worth £36.2m less than it was.

    Plus, sundry costs to tidy up, say £2m?

    Total: £38.7m

    1. Anonymous Coward
      Anonymous Coward

      Re: Encryption? It's bad business!

      @AC

      Potential fine: I think the ICO can fine up to £0.5m

      The value of the company: shares have gone from 268p on Thu to 264p on Friday: the company is now worth £36.2m less than it was.

      Plus, sundry costs to tidy up, say £2m?

      Total: £38.7m

      And that, is why it probably just became a decent short term *speculative* investment play. I'm AC because I too work for a bank and can't give investment advice. I guess you could net an upside of about 9.5% as the market corrects the drop over the next few days.... unless its a BP moment, but without American help, that's unliklely.

      I do hope I'm wrong. And I hope I'm wrong because their current customers walk away faster than they can attract new replacement customers. Which is what all the bluster about contracts & laws is designed to achieve - prevent a mass walk out.

  41. Anonymous Coward
    Anonymous Coward

    I don't get it

    I don't understand why ANY business would take security of data so lightly. We run a cloud service and we encrypt everything - the database is encrypted at rest (keys in a key vault), then we encrypt any sensitive columns in tables to be extra safe, plus we don't pass any un-sanitized data to the stored procedures... and to cap it all, we don't hold any bank/cc details at all!

    This is basic security - not something that optional.

  42. Anonymous Coward
    Anonymous Coward

    They have had issues for months!

    TalkTalk are a joke. I have calls some 30 to 50 times from imposters who claim to be from TalkTalk.

    They say they have discovered a fault in my broadband and could I got to my computer and they tell people to go to fastheal. .net to install some software.

    The nuisance calls have been going on for several months. So why did n't they warn the public then?

    The imposters have the TalkTalk account number (for verification), as well as the home address, name etc...

    I did complain and their response was rather dismissive. Not a penny in compensation for the nuisance caused.

    TalkTalk are totally incompetent telecoms company. Whether it is a fault on the line, problem with broadband. It has taken them several years. Whilst customers have had a poor service.

    It is only because TalkTalk have gone public, have we seen so many people talk about how they have been harassed for several months.

    The Information Commissioner has not fined TalkTalk, although it should be customers who should be compensated.

    The annoying this is that TalkTalk have increased their prices. When they were new they were around £20 per month, now they are around £50 per month. Quality has not gone up.

  43. RealBigAl

    Watching TalkTalk's response to this failure on their part brings to mind the now immortal words of Malcolm Tucker. "....it's like watching a clown running across a minefield."

    Their position seems to be "we should be protected by the authorities, we pay our taxes, oh wait..."

    Exhibiting zero corporate responsibility, they're share price deserves to tank. The sad consequence is though, with all the mergers and takeovers that have been going on in the past few years, B.T. will soon have (once again?) a monopoly on the mobile phone market, indeed on communications in general, in this country.

  44. Rod 6

    Looks to me like a text book case of how not to handle a data breach.

  45. Anonymous Coward
    Anonymous Coward

    WHERE Postcode LIKE 'EC%'

    Encryption is a tool not a solution. Let's say all the customer information in the database is encrypted and a customer calls up to query their bill. Of course being a customer he doesn't know what his account number is, so the call centre worker has to go through Data Protection checks without that nice account number to use as a key into the encrypted database. So the call centre application needs to make an SQL query based on postcode, name, age mothers maiden name etc. to both verify the customer and find out the account number. Unfortunately this data is encrypted so the application needs the database keys to encrypt the customer supplied info into something that can be used to make a query. Possible, but a world of pain to secure once you have multiple applications that all need access to the key. The fun really starts when one of the business application needs to make wild card queries like the one in the title. Then you are screwed.

  46. Quotes
    IT Angle

    First contact from TalkTalk

    TalkTalk contacted me today (caller id = 006690). It is the first contact they have made since they were hacked four days ago. The caller asked me to confirm some personal details before they could continue with the call ! Obviously I declined but I asked them if they were aware their company had been hacked. Their response was to hang up. Says it all really.

    1. Ian Ringrose

      Re: First contact from TalkTalk

      What makes you think the contract was from TalkTalk.

      Even dialing random phone numbers, and pretending to be from TalkTalk saying you need to confirm some personal details would result in getting a lot of information for most members of the public.

      The caller hanging up makes me thing it was not TalkTalk calling you.

  47. Velv
    Facepalm

    Interesting. Talk Talk don't feel the need to encrypt customer data. They're advising customers to provide all the same personal data to third party Noddle to monitor for suspicious activity.

    I wonder if Noddle thinks it necessary to encrypt the data they're entrusted with? (And have Noddle told Talk Talk this...)

  48. Ian Ringrose

    A complete change in how we do banking is needed….

    Anyone that has a copy of the form I fill in for a credit check can open a bank account in my name!

    Anyone that has the information to set up a DD on my account had all the information that is needed for someone else to setup the DD.

    There will ALWAYS been data beaches, therefore the data that must be stored and process for each customer should be such that it is not a great issue if it gets stolen.

    Encryption does not help, as the key needs to be accessible to the system.

    The credit check data has to be kept by Talk Talk, as otherwise they can’t improve their risk control systems when taking on new customers. (Likewise a landlord has to keep it, so they can trace a none paying tenant that has just left the property.)

    We need a quality ID checking system, but yet, we are not allowed to have ID cards as the public does not like the concept!!!!

  49. Ana Cronym

    Bork Bork.

    That is all.

  50. planetzog

    It's not a legal requirement to look both ways before crossing the road, but it's stupid not to. So we're dealing with stupidity and arrogance, a dangerous mix that never ends well.

    Want to escape? Not so fast sucker! We've lost your personal data but we still have you by the short and curlies. We might even lose your data again. Pay a penalty to leave? Pah! The ICO should step in now and direct TackyTalkTalk to allow users to leave their contracts early.

  51. macjules
    Thumb Down

    More 'STFU STFU' than 'Talk Talk'

    "On Saturday TalkTalk said the attack had been less serious than it had initially feared."

    Perhaps their definition of 'fear' is the potential legal actions from people who have had their bank accounts cleared out thanks to TT? I do like the fact that TT are 'offering' 12 months free credit through Noddle - my understanding of having used Noddle is that isn't it actually free of charge to use anyway?

  52. Grubby

    Misleading messages

    I think it's incredibly misleading and unfair of TalkTalk to be advising customers that the information stolen is 'nothing more than you would use when writing a cheque, or to receive payments'. Dido is deliberately trying to mislead people into believing that the information held is useless, or can only be used to pay money in.

    Surely Ofcom have grounds to step in as it's a public communication designed to mislead, effectively an advert that lies.

    https://d35r1y7lonozn6.cloudfront.net/

    Watch for yourselves.

    1. Alan Brown Silver badge

      Re: Misleading messages

      "Surely Ofcom have grounds to step in"

      Surely trading standards?

  53. Wommit
    FAIL

    Why do most of the commentards talk about the application layer? The real business logic and MOST of the protections should be at the RDBMS layer. Presentation layer protection, don't make me laugh (or cry really.) There is no way to protect that. The application can easily be spoofed, we are all aware of injection attacks etc, but a properly designed DB will bounce all of the unathorised accesses and log all the details of such attacks.

    The problem is that good DBAs aren't cheap, we tend to be a bit shouty and like things done our way, and that's usually the best way. BUT a good DBA can save you millions in cash and public embarrassment.

    However as some have pointed out, the senior (i still snigger for I think of this phrase) management are ONLY looking at the bottom line. If they can save a penny a year, they'll go for that option. More in the pot for their bonuses.

  54. Robert E A Harvey

    One word response

    Tossers

  55. Tim Almond

    Dido Harding is unfit

    It's clear that her whole attitude is one of being slopey-shouldered about taking any responsibility. Her attitude to the hack not only is to view it as not her problem, that TalkTalk is the victim of a crime, but her interview on Newsnight had her pulling a load of whataboutery about how many other cyber attacks there were.

    And it's not like this is Laura Ashley you're running. I might understand if someone selling soft furnishings seemed to be clueless about data, but data is your bread and butter at an ISP. You shouldn't even have any systems with SQL injection in such an organisation, because you should have figured out a mitigation strategy that can be applied globally (like using an ORM) and sometime in the past decade, that should have been a priority.

    I'd love to know who does their IT. What's the odds it's some outfit that bid the lowest price stuffed full of guys from Bangalore straight out of college?

  56. Dick Emery

    Where is our test case?

    These idiots need a wake up call and I think a court case would go some way to doing that. Saying they are not required encryption is like saying I am not required to shut the shut the safe at the bank even though there is a locked door to the safe room.

  57. Archaon
    Facepalm

    The difference between losing all of your customers and keeping some of them...

    How to keep some of them: "We're not required to encrypt bank details, however this attack shows that encryption is important and we clearly should be. As such we have implemented a plan to encrypt all user data within the next month to prevent such an attack from happening. We truly apologise for any inconvenience or concern caused by this data breach, but rest assured your data will be safer with us than most other companies in the future."

    The TalkTalk school on how to lose all of them: "We didn't need to do it. We still don't. Tough shit."

  58. Anonymous Coward
    Anonymous Coward

    I have no legal duty to flush the toilet after using it, but if I want to be invited back to Mrs Leadbetter's next dinner party, it's probably a good idea to do so.

  59. Somerset

    http://www.tcs.com/resources/multimedia/Pages/Talk-Talk.aspx maybe

  60. achillesneil

    TalkTalk say they are victims of crime. That is true. But if I left my windows and front-door open and some people came in and stole all my stuff, the cops wouldn't do anything. Probably tell me not to be so lax.

    I think TalkTalk was been very lax here.....

  61. Anonymous Git

    Plain and simple...

    https://paul.reviews/value-security-avoid-talktalk/

    https://www.youtube.com/watch?v=9cM2uscCmpQ

  62. Cincinnataroo

    We need a good stupidity meter

    Businesses are full of these turkeys. Criminally ignorant of technology and running technology companies.

    Oh that we had a good quality Bravo Sierra meter. Then we might have a way of avoiding the idiocracy a bit more.

  63. eylesman

    ByeBye TalkTalk

    And that's why I left TalkTalk after 10 years of using them for phone and Broadband.

    Bye!

  64. harris1979

    As a talk talk customer I feel sickened to hear that they don't have to protect your personal data. Surely they are in breach of customer confidentiality and the big wigs at the top of this company should be held fully responsible. To make matters worse they were even warned that this was going to happen. I reckon maybe the hackers should have got an hold of the ceos bank account and given all the money back to people who have had to pay to get out of there contracts

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like