back to article TalkTalk claims 157,000 customers were victims of security breach

TalkTalk has once again attempted to downplay the seriousness of the attack on its systems by claiming on Friday morning that only four per cent of its customers – nearly 157,000 people – were affected by the security breach. The budget ISP said that bank account numbers and sort codes of 15,656 of its subscribers had been …

  1. edge_e
    WTF?

    Even Jeremy Clarkson could tell them they're wrong

    Throughout TalkTalk's statement, the company reiterated its claim that the "financial information" pilfered during the security breach "cannot on its own lead to financial loss".

    The budget ISP said that bank account numbers and sort codes of 15,656 of its subscribers had been swiped in the attack.

    1. d3vy

      Re: Even Jeremy Clarkson could tell them they're wrong

      I might be missing something but knowing my sort code and account number will not allow you to get money out of my bank...

      Except maybe by direct debit?

      I'm genuinely interested to know if this is possible?

      1. rhydian

        Re: Even Jeremy Clarkson could tell them they're wrong

        As edge_e mentions, Jeremy Clarkson (at maximum arrogance) said "No one can steal money from you with an account number and sort code!", and proceeded to publish his own personal details in his column in The Sun.

        Within hours someone had signed him up for a £500 donation to either Cancer Research or Diabetes UK (can't remember which) via direct debit, which is he took in good humour as he changed all his bank details...

        1. Anonymous Coward
          Anonymous Coward

          Re: Even Jeremy Clarkson could tell them they're wrong

          Which really is a fault of the Direct Debit system. You shouldn't be able to setup an active DD with just an account number and sort code.

          Bank sort codes are freely available and account numbers could easily be brute forced.

          1. Graham 32

            Re: Even Jeremy Clarkson could tell them they're wrong

            Already discussed here: http://forums.theregister.co.uk/forum/containing/2685867

            Also worth noting that a DD can only give your money to registered recipients: utilities, charities etc. Not much use to the hackers.

      2. dd88ddd

        Re: Even Jeremy Clarkson could tell them they're wrong

        You've made a rather unfair argument. Direct debits are a way to get money out of your account, but you've excluded it from consideration.

        What's to stop me from setting up fake companies to which talktalk customers suddenly have direct debits?

    2. N13L5

      Business disruption eliminated.

      I bet what we're seing here, is just the old Telco boys getting rid of a scrappy threat to their business.

      hack 'em, get it all over the media and ride on the story till those folks are out of business.

      Business disruption eliminated.

  2. ShortLegs

    Good time to buy shares then :)

    1. wikkity

      RE: Good time to buy shares then :)

      If you believe they will go back up and do so in a timescale worth investing, then yeah.

    2. Anonymous Coward
      Anonymous Coward

      Jump on the sinking ship now!

      before the information commissioner and private lawsuits tear the place apart.

      1. Anonymous Coward
        Anonymous Coward

        Re: Jump on the sinking ship now!

        before the information commissioner and private lawsuits tear the place apart.

        You wish. But in the UK class actions don't exist, and the burden of proof will be quite difficult for individuals to claim compensation (and anyway, in the UK compensation cannot be punitive as it can in the US). The ICO can only fine them half a million quid. That's small change for a company with turnover of £1.8bn a year.

        1. Steve Davies 3 Silver badge

          Re: Jump on the sinking ship now!

          Are you sure that Class Actions don't exist in the UK?

          http://www.bbc.co.uk/news/uk-34402483

          Came in on 1st October. Just in time for T-T to get hacked.

          IMHO this would be a great 'trial' case.

          1. Anonymous Coward
            Anonymous Coward

            Re: Jump on the sinking ship now!

            Are you sure that Class Actions don't exist in the UK?

            In context of the TalkTalk hack, yes I am sure class actions don't exist. The linked article does explain that class actions can exist for breaches of competition law, but even then need the rubber stamp of the Competition Appeal Tribunal (one of the zillion quangos that somehow missed out on Dave's bonfire of the quangos).

            What's more, under UK law, the loser is generally liable for the costs of the winner. This means that for a class action to go ahead, the claimants need to be able to show that they can pay the costs of the defendant. Even if TalkTalk could be prosecuted through class action, who would be willing to try taking them on if they put an expensive combination of Slaughter & May, Herbert Smith, and Brick Court Chambers on the job? If the claimants lost they could have to fork out several million quid between them. If you get enough claimants willing to stake (say) £50 each, then it might be low risk, but what if only 1,000 people joined the class action, and they were risking having to pony up £2,000 each?

            This "my dog is bigger than your dog" approach is how the big banks avoid being sued left right and centre for their fraudulent behaviour; It works, and government only intervene in the most egregious of cases like PPI extortion.

            In the US legal system each side to bear their own costs regardless of outcome, and that's a major contributor to the fact that everybody is suing everybody.

            1. Anonymous Coward
              Anonymous Coward

              Re: Jump on the sinking ship now!

              > and the burden of proof will be quite difficult for individuals to claim compensation (and anyway, in the UK compensation cannot be punitive as it can in the US)

              Ignoring the fact that judges can award exemplary (punitive) damages in well-defined circumstances, the DPA allows for the claiming of compensation for distress caused by a breach (and one can take parallels from the TalkTalk issue to the case study on the ICO's site). Given the scale of the data loss, the reports of scammers phoning, and the amount of time it's apparently taking TalkTalk to tell its customers if their details were amongst those that were lost, I'd have thought a distress claim might be worth looking at.

              > "What's more, under UK law, the loser is generally liable for the costs of the winner"

              True - you'd be better off with Small Claims cases where costs tend not to be awarded. Obviously 1 wouldn't be an issue, 50,000 might be (if that number of people were sufficiently bothered, etc, etc).

              1. Vic

                Re: Jump on the sinking ship now!

                Small Claims cases where costs tend not to be awarded

                I've been awarded costs in a Small Claims Court.

                It's capped at £50 a day. And the bugger never paid anyway.

                Vic.

        2. Doctor Syntax Silver badge

          Re: Jump on the sinking ship now!

          "But in the UK class actions don't exist, and the burden of proof will be quite difficult for individuals to claim compensation"

          However a host of customers wanting to leave & claiming in the small claims court against any attempt to extract fees could be a different matter.

          Would they try to defend? If they tried and failed would they keep trying? If they overlooked one or two and ignored the judgements they might have a procession of bailiffs rolling up to the front door to seize bits & pieces such as the recepionists' PC. If a couple of well presented cases defeated them they could look forward to haemorrhaging customers.

    3. Voland's right hand Silver badge

      Are you sure?

      https://image-store.slidesharecdn.com/1f11cc86-c2d9-4299-9a14-edfe61bf5239-medium.jpeg

      Note the VCR and the Windows 9x behind her. That is their "innovation center" apparently.

      Are you sure you would invest in that? I would not.

  3. Anonymous Coward
    Anonymous Coward

    How would they know?

    I mean if they can't be bothered with the most important security are they really going to have security in place around their data?

    Was it lifted from the back or the front of the database? by that I mean raw data on the server or through a query.

    I don't know why I'm even questioning this as all throughout this TalkTalk haven't once looked like they were lying at all in the slightest without doubt.

  4. msknight

    I would believe a politician before I belive TalkTalk, after the way they've spun this whole debacle.

  5. Stuart 22

    She's still there

    What do you have to do to get sacked at TalkTalk? (if you aren't one of the small people).

    1. Anonymous Coward
      Anonymous Coward

      Re: She's still there

      Be an employee in the IT department, it all got off shored and they fired everyone.

    2. Voland's right hand Silver badge

      Re: She's still there

      Why specifically Talk-Talk - most UK PLCs are not any different.

      1. Anonymous Coward
        Anonymous Coward

        Why specifically Talk-Talk - most UK PLCs are not any different

        I wasn't working for most UK PLCs, I was working for TalkTalk when it got off-shored ...

  6. Anonymous Git

    grrr

    So talktalk, are you going to inform the 157,000 customers that have had there details stolen? and maybe tell the other 4 million (plus ex customers) that there's hasn't been, just for reassurance... That's if we have faith in your bullshit comments that come out...

    Note to all other companies. Check your systems... encrypt the customers data at the very least! And stop keeping ex customers data!

    1. Velv
      Facepalm

      Re: grrr

      Given their inability to get anything right to date, what's the confidence factor in them getting the right statement to the right people safely...

    2. teebie

      Re: grrr

      No, because they don't really know whose details have been stolen, they are just banking on 157,000 or fewer users being able to shown a reasonable level of proof that they are affected.

      (N.B. I made this up, but it does seem feasible to me)

  7. BlackBolt

    I'd never use them...

    But thats mainly because of the shocking attitude towards the problem, rather than the actual data loss.

    Being hacked is bad, but it CAN happen to anyone. Being an arse about it afterward is a management decision. Not managers I'd ever trust with any of my data.

    Its pretty shocking that there isn't a board of authority that can't seriously wrap their knuckles. If they were a bank they'd have been hammered for data loss.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'd never use them...

      How have they been an arse about it?

      * They've been honest and shared a worst case scenario when it would have been easier to hide it and protect their share price.

      * They've kept people updated through the media and emails

      * They've shut down their public facing systems entirely until they are happy there are no more vulnerabilities.

      * They've employed some of the top security consultants in the country (e.g BAE) to independently audit their systems

      Aside from not screwing up in the first place, what more would you like them to do? How much as the media spun this out of proportion anyway? People talk about Dido needing to quit, but would it be better to have the ship without a captain when it is in rocky waters? That wouldn't be very responsible.

      1. Commswonk

        Re: I'd never use them...

        * They've shut down their public facing systems entirely until they are happy there are no more vulnerabilities.

        * They've employed some of the top security consultants in the country (e.g BAE) to independently audit their systems

        Now I'm not an IT expert but how long is the shut - down going to be? It seems to be taking a long time to carry out the audit and remove the vulnerabilities; the time being taken suggests that things are bad indeed.

        Aside from not screwing up in the first place, what more would you like them to do? How much as the media spun this out of proportion anyway? People talk about Dido needing to quit, but would it be better to have the ship without a captain when it is in rocky waters? That wouldn't be very responsible.

        Given that people have been scammed as a result of this breach (and / or earlier ones) I think the media are perfectly entitled to keep the pressure up. Today's Daily Mail (there; I've said it) has a 2 pager dedicated to TT, and Radio 4's Moneybox ran quite a large piece about TT today (Saturday 7th) lunchtime. For the avoidance of doubt neither was complimentary.

        The analogy using a ship is not entirely valid; a plc ought to have Continuity Planning so that a CEO can be on holiday / ill / defenestrated without the entire company collapsing in consequence. And in any case if it was the ship's captain who sailed into rocky waters in the first place by ignoring the "rules" (i.e. navigation charts) then the best place for him / her might be anywhere other than the bridge. Unfit for command... especially so if the captain, having hit a rock in the first place seems to be trying to hit as many others as possible while denying their very existence to his / her terrified passengers.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'd never use them...

          Now I'm not an IT expert but how long is the shut - down going to be? It seems to be taking a long time to carry out the audit and remove the vulnerabilities; the time being taken suggests that things are bad indeed.

          Depends on the size of the audit doesn't it, given that TalkTalk is rather big (I think about 4m customers they've said this morning?) and their website doesn't look simple. I think any technology organisation with thousands of employees is likely to have rather complex systems. Plus if code needs rewriting then that isn't trivial if that code has to scale to hundreds of thousands of complex transactions.

          Interestingly it looks like part of the "my account" systems are back on-line.

  8. Your alien overlord - fear me

    We know how crap their security is, but just how crap is their database system if they have 28,000 orphans credit card records? Is everything run off a dBase III system?

    1. teebie

      I can't imagine they are using the word 'orphaned' in its technical sense, given their abuse of 'encrypted', 'secure' and 'the records were obtained through DDOS'

    2. Anonymous Coward
      Anonymous Coward

      They could legitimately be orphaned records, if there's 3 tables taking part in a many to many join and you loose table that holds the links you don't have anything to tie the two together again... I assume the can see from the data/logs what was stollen..

      That said why CC data would be in a many to many is beyond me... I suppose you could have it linked to orders rather than the account...

  9. Grubby

    The number shouldn't matter

    It is irrelevant how many customers' data were stolen, the fact is they have proven beyond reasonable doubt that they cannot protect the data of their customers which is a breach of section 8.2 of their own terms and conditions which states they "will not be liable for breaches beyond their control", or to put it another way they are liable for breaches within their control.

    So either they are saying that there is nothing they could do to prevent the attack, in which case there is also nothing they can do to prevent a future attack; or they are saying that they will make improvements to their security and therefor they do control the process and so the breach was within their control. All 4 million customers have the right to challenge this and terminate their contracts.

    I would recommend that they just cancel, ignore any letters and let's see how many cases make it to court for the termination charges... (None).

  10. Anonymous Coward
    Anonymous Coward

    according to TalkTalk

    T/T yesterday told me "less than 20,000 customers affected" ... I let it go as the 'less / fewer' mistake is almost minor compared with their other screw-ups ...

  11. A Ghost
    Mushroom

    I've had enough now

    Been getting so many dodgy phone calls from them and the indian microsoft who had my details to fix my computer, that I had to take my phone permanently off the hook, with seriously ill people in my family as well.

    They sent me a bullshit letter today, with totally insulting and conflicting information, and still not informing me whether my details had been stolen. When obviously they have been stolen, at least on one occasion.

    But it's actually personal coz I really don't like the cut of that piss taker dido's gib. Now *that* is a Backpfeifengesicht if ever I saw one. She had her chance - she blew it.

    When I first moved here, they were the only game in town, now I have at least one more option - more expensive - yes - but it will be worth every single penny. BT or Virgin, both have their problems too, but I'm feeling bloodlust and a serious need for vengeance.

    I was being called 3 or 4 times a fucking day at one point. And then the indian scammers on top. Just waiting for the door to be kicked in at 5 in the morning and all my computers and disks taken, coz someone has stolen my identity to download bloody child abuse images.

    And they have only NOW sent me a vague letter saying the bullshit they were talking on the BBC. Totally contradicting themselves on several points.

    I think Dido is a fucking crack head or a functioning alcoholic by the looks of her. She's fucked it for her company. 5-10 quid extra per month is a *lot* of money for me as I don't have a job at the moment. But it will be the sweetest taste I ever get in my mouth to hit back and punish these fuckers.

    </absolutely raging>

    Calm now.

    Still going to leave talk talk. All that bullshit with their version of phorm and the dpi they were doing. They lied about that. Now the third or fourth security breach in a year! How the hell are people not being sacked over this. We both know the answer to that. So that is why I will take my ounce of flesh from them. If you are on talk talk still at this point when you have an option (even if it is more expensive) then you will get what is coming to you soon.

    This shit is going to continue because they have a culture of corruption there. The whole company is rotten to the core. And they could have still got away with it by being honest, contrite and making plans for future infrastructure improvement. But they do what they always do - lie. I'm finished with the liars and piss takers.

    They are so fucking stupid. They would have been better off not sending me that letter with my bill and insulting me. They really have no clue. I can't wait for the next one to happen and say 'told you so'. I want to see this company go down and burn. It's all they deserve at this point and they only have themselves to blame.

    The only thing that could change my mind at the moment is if the shareholders agreed to burn dido face at the stake, and let me light the fire. Otherwise, I'm gone.

    I'm not even mad, bro.

  12. Spoonsinger
    Coat

    "TalkTalk claims 157,000 customers were victims of security...."

    Shirley all TalkTalk customers are victims and should be pitied.

  13. TheProf
    Angel

    I'm not in the least bit worried

    Every time I typed my credit card details into their web page I made sure there was a padlock icon in the address bar.

  14. Anonymous Coward
    Anonymous Coward

    Reminds me

    Reminds me of a fisherman's tale, only inverted

  15. minutemaid4321

    What about the other data that you stated was lost?

    In your other article found here: http://www.theregister.co.uk/2015/11/03/talktalk_incident_management_review/?page=3 you stated that 1.2 million emails, names and numbers were stolen. Does that still stand?

  16. barry8082

    TalkTalk data breach

    I am one of the 160,000 customers who had their information stolen and I am wondering whether anybody has taken TalkTalk to the small claims court for the cost, inconvenience and stress caused by this breach and tjhe disclosure of your information to international criminal organisations. I have tried to find lawyers who would be prepared to take a class or group action but the few that had websites open have now deleted these sites, so I assume that they are now longer interested in pursuing TalkTalk. Nor are the so called "consumer organisations" planning to hold TalkTalk to account. Paper tigers all. It seems nobody is willing to support the consumer. So it is up to individuals to pursue TalkTalk. Imagine if all affected customers lodged individual claims in the small claims court. The cost of defending 160000 cases would be prohibitively expense, especially as TalkTalk cannot claim their legal costs against the plaintiff win or lose. Any comments would be appreciated.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like