TalkTalk Customer Data At Risk After Cyber-attack On Company Website (theguardian.com)

← Back to Stories (view on slashdot.org)

TalkTalk Customer Data At Risk After Cyber-attack On Company Website (theguardian.com)

Posted by Soulskill on Friday October 23, 2015 @10:12AM from the fool-them-twice,-shame-on-them dept.

An anonymous reader writes: Police are investigating a "significant and sustained" cyber-attack on the website of TalkTalk, an internet and TV provider, which could have compromised customers' credit card and other personal details. The telecoms provider has 4 million customers in the UK. It is the second time in the past 12 months that TalkTalk customers have been affected by data breaches. "We are continuing to work with leading cybercrime specialists and the Metropolitan police to establish exactly what happened and the extent of any information accessed," the company said on Thursday night after revealing the attack, which took place on Wednesday.

Its chief executive, Dido Harding, said: "We take any threat to the security of our customers' data extremely seriously, and we are taking all the necessary steps to understand what has happened here." TalkTalk was informing its customers immediately about the attack as a precaution, she added.

46 comments

Min score:

Reason:

Sort:

Really? by Anonymous Coward · 2015-10-23 10:20 · Score: 0

>"We take any threat to the security of our customers' data extremely seriously,
It must be so serious if they didn't bother to encrypt it.
1. Re:Really? by Anonymous Coward · 2015-10-23 10:29 · Score: 0
  
  To be fair, the police are advising people to make sure any URL you are accessing starts with http://
  http://www.theregister.co.uk/2015/10/23/essex_police_twitter_hacked/
2. Re:Really? by Anonymous Coward · 2015-10-23 10:33 · Score: 0
  
  To be fair, the police are advising people to make sure any URL you use starts with http:// for security.
  http://www.theregister.co.uk/2015/10/23/essex_police_twitter_hacked/
3. Re:Really? by Anonymous Coward · 2015-10-23 11:22 · Score: 0
  
  If the biggest companies in the world like Sony, HD, and others cannot stop hackers, how can we expect anything smaller than a state government to actually handle a concerted attack?
4. Re:Really? by Anonymous Coward · 2015-10-23 11:56 · Score: 0
  
  It's not a matter of stoping hackers; it's a matter of encrypting data.
  Yet it's 2015 and companies still fuck this up.
5. Re:Really? by manu0601 · 2015-10-23 13:39 · Score: 1
  
  how can we expect anything smaller than a state government to actually handle a concerted attack?
  Even government struggle. Remember Russia addressed APT by reverting back to typewriters.
Accountabilty by Locke2005 · 2015-10-23 10:20 · Score: 1

Only we to stop this from happening is to make companies 100% financially responsible for all loses predicated by their lost data. We need those laws passed now, and then make an example out of the next one, hopefully driving them into bankruptcy.

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
1. Re:Accountabilty by matbury · 2015-10-23 21:16 · Score: 1
  
  Under tort law, they are liable. They clearly failed to put into place sensible and reasonable safeguards to protect their clients' sensitive data. CEO Dido Harding made a press statement that she didn't know if the banking details on TalkTalk's database were encrypted (gross negligence, in my opinion).
  However, we live in an age of blameless, shameless corporations who know that, as long as they don't emabarrass any powerful people (that doesn't include politicians), they can get away with just about anything.
2. Re:Accountabilty by jonbryce · 2015-10-23 22:45 · Score: 2
  
  Baroness Harding of Winscombe studied Philosophy, Politics and Economics at Oxford. I doubt she even knows what encryption is. She certainly doesn't know the difference between a DDOS attack and an SQL injection attack.
3. Re:Accountabilty by Anonymous Coward · 2015-10-23 23:42 · Score: 0
  
  Pretty sure it wasn't Dido who coded the company's sites and databases, either. This is a CIO/CTO/whateverO role, and they should be preparing a briefing for the board. Catching someone out on the 24h news cycle isn't even sport.
4. Re:Accountabilty by mikael · 2015-10-24 07:24 · Score: 1
  
  So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.
  In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
5. Re: Accountabilty by Anonymous Coward · 2015-10-24 19:58 · Score: 0
  
  Emails requesting money should always be read and paid with no delay. Emails cannot lie.
6. Re:Accountabilty by tehcyder · 2015-10-25 23:03 · Score: 1
  
  So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.
  In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID
  It's a lot easier and more convenient to set up a Direct Debit and have it paid each month without having to do anything, especially for things like TV/phone subscriptions which probably don't vary from month to month anyway.
  I do not want to have to manually pay my gas, electricity, water, rent, mortgage, life assurance, medical insurance, car insurance, house insurance, pet insurance, gym subs, golf club membership, student loan repayment, charity donations, child support, TV, mobile phone, broadband, credit card bills or whatever each month. I just have to check my monthly bank statement (online) and make sure nothing odd has happened with any of myDirect Debits - and I'm protected if it has.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Hack used SQL injection .. by nickweller · 2015-10-23 10:21 · Score: 1

'Reports suggest that TalkTalk was subjected to a distributed denial-of-service (DDoS) attack that enabled the attackers to utilise SQL injection techniques. SQL injection allows an attacker to feed commands to a database (that shouldn't normally be accessible) via a poorly-designed website form or input box.'
1. Re:Hack used SQL injection .. by JustAnotherOldGuy · 2015-10-23 11:58 · Score: 3, Insightful
  
  Fucking aye, have these people never heard of sanitizing data, or is that some new-fangled thing?
  I rigorously sanitize ALL data coming into my sites (every single input) and I'd be genuinely surprised if a SQL injection would work on any of them.
  I mean, it's just not that fucking hard to guard against, why can't these companies full of hot-dog programmers seem to get it right??
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
2. Re: Hack used SQL injection .. by valdezjuan · 2015-10-23 12:56 · Score: 1
  
  It's sad how many people who 'write code' have never heard of input sanitization or output encoding, let alone parameterized queries. They all think it's someone else's job.
3. Re:Hack used SQL injection .. by Anonymous Coward · 2015-10-23 15:28 · Score: 1
  
  Thankfully my past few contracts have been sane, but there are a ton of companies out there who hire programmers (the archetypical "H-1B" talked about on Slashdot who is revered by PHBs), whose focus is lines of code and getting a project to a buildable form to make a ship date. Code quality? Who gives a rat's ass, as long as deadlines are met.
  Security is, at best, an afterthought. In this economy, it is better to get a website up and money coming in, and then worry about Bobby Tables when it happens, than to bother with parameterized queries or doing it right. The goal is to meet the ship or go live date, and as a programmer, it is a lot better to make the ship date with no security factored in than slip a deadline to make sure things are tightened down properly. If you slip a deadline, you get fired. A security bug is just another ticket on the Agile system to go fix after the next round of features that marketing wants gets put in.
4. Re:Hack used SQL injection .. by Anonymous Coward · 2015-10-23 21:12 · Score: 0
  
  If you need to sanitise data you are doing it wrong.
  I am guessing your customers are not allowed to be Scottish because they have a quote symbol in their name.
  If you need to escape inputs before making an SQL string, you are also doing it wrong.
  Do everyone a favour and use prepared statements, which allow any input to properly be entered into the database without causing security issues.
5. Re:Hack used SQL injection .. by Anonymous Coward · 2015-10-23 21:42 · Score: 0
  
  The service on my site is just a front. The whole thing is just a honey pot I'm tracking from another system. I mean I thought everyone knew but you might want to stay off yahoo. ;)
6. Re:Hack used SQL injection .. by Anonymous Coward · 2015-10-23 22:08 · Score: 0
  
  I am guessing your customers are not allowed to be Scottish because they have a quote symbol in their name.
  ?
  Do you mean Irish (O'hare, O'flaherty etc.)?
  Or is this some other quote symbol I am not aware of?
7. Re:Hack used SQL injection .. by AmiMoJo · 2015-10-23 23:24 · Score: 2
  
  Security costs money. The lowest bidder rarely bothers with it, and the company sure as hell isn't going to pay to have it properly tested. As far as the boss is concerned the box was ticked, their bonus was secured.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
8. Re:Hack used SQL injection .. by Anonymous Coward · 2015-10-23 23:38 · Score: 0
  
  >Security costs money.
  I suppose you have no evidence of that. Urban legend. We here talking about basic security. Being protected against XSS, injection, and CRLF does not cost anything, it's trivial. Done correctly, it will force you to structure your programming and this will probably make you spare money even while still developing.
9. Re:Hack used SQL injection .. by ChumpusRex2003 · 2015-10-24 02:52 · Score: 1
  
  Except we're not talking about complex security models such as role-based access, split encryption keys, external audits and pen-tests.
  
  This is the most basic level of security: Failure to validate user input, and the continued use of dynamic SQL statements rather than prepared statements - something which is a trivial code modification.
  Storing customers bank/credit card details in the web-facing application database (as opposed to communicating them to a payment application/processor or separate internal system) - something which is just totally inept design
  
  Beyond that, it is clear that they don't make use of good development practice. A quick look at the source for their web site shows stuff like inline CSS, comments all over the place, IFRAMES, etc. All that sort of stuff indicates that they don't have adequate code standards, they are unlikely to be using a version control system, and they have no idea what an XSS vulnerability is.
  
  Finally, it is obvious that the communication between their IT department and CEO is sorely lacking. This is the 3rd time they have been hacked and suffered a major data breach. It is clear that they learned nothing the first 2 occasions. The CEO made a public media statement saying that she did not know if customer details, passwords or banking details were stored in an encrypted form, and did not know how long it would take to find out (it's hard to believe that the CEO could not have asked the CTO, or that the CTO wouldn't know, or be able to find out). Moreover, the advice to customers given via the media has also been incorrect (e.g. Q: How do I know if an e-mail purporting to be from talk talk is genuine? Check the "from" address shown in your e-mail software. If it is genuine it would be a talktalk address.)
10. Re: Hack used SQL injection .. by JustAnotherOldGuy · 2015-10-24 03:00 · Score: 1
  
  Yep. parameterized queries are good practice and should be mandatory, but even they can be dispensed with if the incoming data is properly sanitized and validated. They're highly, highly recommended and should really always be used, but half of the problems they solve are related to bad or malicious data getting placed into the query.
  But people never learn, do they?
  It astounds me that I, a lone guy coding in a home office can apparently write safer, more secure code than Sony, Twitter, Samsung, Facebook, IBM, YikYak, Patreon, SAP, Drupal, NASA, Adobe, LinkedIn, Nokia, etc etc etc.
  Granted, I don't write nearly as much code, but then I don't have multiple office buildings filled with teams of highly-paid professional coders, either. These are billion dollar companies who don't seem to know the first fucking thing about basic security practices. Incredible.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
11. Re:Hack used SQL injection .. by JustAnotherOldGuy · 2015-10-24 03:07 · Score: 1
  
  Security costs money.
  
  So does a security breach that tanks your stock or allows money to be siphoned out of the company.
  And in fact, security doesn't really cost squat when it's done right and baked in at the code level. I have some fairly robust sanitization libraries that I use over and over and over, and it's not costly nor is it a big deal to simply use them when I build an app or a site. We're talking a few extra seconds of typing to add a call to sanitize(type, size, method) to clean the incoming data.
  FFS, if I can do it so can Sony or Nokia or Patreon or TalkTalk or NASA or Facebook or LinkedIn.
  Why is this shit still a mystery in 2015??
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
12. Re:Hack used SQL injection .. by nickweller · 2015-10-24 03:10 · Score: 1
  
  Assuming we're being told the truth, it could have been used as a distraction from the main attack. But apparently the hackers got hold of some third-party login credentials using social engineering and used these to leverage access to the customer database. What this unencrypted database was even doing accessible from the Web just beggars incredulity. Are they teaching them anything in computer school nowadays.
13. Re:Hack used SQL injection .. by AmiMoJo · 2015-10-24 03:38 · Score: 1
  
  When there is a security breach you play the victim. Evil hackers raped your servers. Anyway, as any pro CEO knows, the trick is to make sure you have moved on by the time it all goes wrong anyway.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:Hack used SQL injection .. by JustAnotherOldGuy · 2015-10-24 12:48 · Score: 1
  
  If you need to sanitise data you are doing it wrong.
  This is one of the stupidest things I've ever heard.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
15. Re:Hack used SQL injection .. by Anonymous Coward · 2015-10-24 14:15 · Score: 0
  
  Right, magic quotes style security. I hope that's not all you're doing.
16. Re:Hack used SQL injection .. by tehcyder · 2015-10-25 23:06 · Score: 1
  
  I am guessing your customers are not allowed to be Scottish because they have a quote symbol in their name.
  ?
  Do you mean Irish (O'hare, O'flaherty etc.)?
  Or is this some other quote symbol I am not aware of?
  Mc"Manus, Mac"Sweeney et al.
  The " is silent.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Eh? by tomxor · 2015-10-23 10:22 · Score: 1

TalkTalk was informing its customers immediately about the attack as a precaution, she added
And yet slashdot is the first place i heard about it.
1. Re:Eh? by Anonymous Coward · 2015-10-23 11:29 · Score: 0
  
  TalkTalk was informing its customers immediately about the attack as a precaution, she added
  And yet slashdot is the first place i heard about it.
  Then you're head must be in the sand. It has been on pretty much every major media outlet for the best part of 48 hours...
2. Re:Eh? by Anonymous Coward · 2015-10-24 01:33 · Score: 0
  
  It's been on the BBC news. TalkTalk apologized for the hack, not that they hacked themselves - they've not apologized for their poor security. They also said they didn't give a shit about costomer's security, I mean, they said they'd been "far too complacent", presumably this was about around the time their shares dropped 10% in value.
I liked TalkTalk Better before by Anonymous Coward · 2015-10-23 10:24 · Score: 0

.. when they were a band.
I read they were DDoS'd... apk by Anonymous Coward · 2015-10-23 10:34 · Score: 0

See subject & http://www.theregister.co.uk/2...
* There's various settings that help I know of (for MS Windows) & DDoS Appliances (IF you have the bandwidth) OR "DDoS-Proof" setups like both Amazon & MS have -> http://yro.slashdot.org/commen... that can help too...
APK
P.S.=> Still, I wouldn't be surprised if THAT was merely a "smokescreen cover" distracting them from what was REALLY going on, in data thievery of their users accounts etc. ... apk
1. Re:I read they were DDoS'd... apk by Ash-Fox · 2015-10-23 20:30 · Score: 1
  
  * There's various settings that help I know of (for MS Windows) & DDoS Appliances (IF you have the bandwidth) OR "DDoS-Proof" setups like both Amazon & MS have -> http://yro.slashdot.org/commen... that can help too...
  The 'DDoS-Proof' setups that Amazon and Microsoft use tend to rely heavily on anycast and using intelligent webbased end points, they have routers that sit in front that only pass web traffic to those end points, pings to another system and drop other packets. To my knowledge, they don't make use of DDoS appliances for their own provided services (maybe for customers on AWS and Azure, but that's another story).
  
  --
  Change is certain; progress is not obligatory.
Talk the Talk by Anonymous Coward · 2015-10-23 11:36 · Score: 0

Dido Harding the incompetent TalkTalk CEO grew up on a pig farm and was a classmate of David Cameron's at Oxford. He made her a life peer last year. Oink! Oink!
Dido? by Anonymous Coward · 2015-10-23 12:51 · Score: 0

Will he go down with his ship?
Also why is government money wasted helping out huge businesses deal with their incompetence? Unless someone physically stole the servers, I expect some part of the web site was-intentionally or otherwise-programmed to send private data out on command. Nobody can force data out of some organisation from a distance.
If someone cracks my home computer I certainly don't expect the police to investigate, yet I don't have millions of Â£â$ for forensics either. Deal with your own mess, leeches. And customers, make them pay for any Data Protection breaches, then switch provider. TT are bottom of the barrel.
TalkTalk Group by pigsycyberbully · 2015-10-23 13:31 · Score: 1

Looks like they took on too many customers and it was overload. They took all of virgin net dial-up customers in just one day because virgin wanted to switch to broadband cable users only and cable television and telephones. "people in the U.K. hate TalkTalk Telephone and Internet because their sales staff bombard them with special offers nuisance calls and spam". Really? https://en.wikipedia.org/wiki/... "Virgin broadband customers told: we're moving you to TalkTalk and you'll lose your email Virgin Media is transferring 100,000 broadband and home phone customers to TalkTalk, and customers will have 12 months to adopt a new email address. Virgin Media insisted that the transition to TalkTalk would be “seamless” and customers would not lose their connection at any point". I love reading other people's Internet providers homepages. http://community.virginmedia.c... At the moment I'm reading some in Amsterdam find the language hard going I might purchase a server there prices look good.
Comment removed by account_deleted · 2015-10-24 00:48 · Score: 1

Comment removed based on user account deletion
Comment removed by account_deleted · 2015-10-24 00:53 · Score: 1

Comment removed based on user account deletion
Learn to read by Anonymous Coward · 2015-10-24 02:46 · Score: 0

I never said DDoS Appliances are used by MS or AMAZON either. Just that they're all possible options. Read it closely again:

"* There's various settings that help I know of (for MS Windows) & DDoS Appliances (IF you have the bandwidth) OR "DDoS-Proof" setups like both Amazon & MS have" - by "yours truly" on Friday October 23, 2015 @06:34PM (#50790853)
The & + OR separate the listed items - that's what those items do in sentences.
APK
P.S.=> Once you read it better you'll understand it better - seems others did well enough to rate the post link it came from that all that pointed to a +3 INTERESTING http://yro.slashdot.org/commen... so, there you are - see subject... apk
1. Re:Learn to read by Ash-Fox · 2015-10-24 04:18 · Score: 1
  
  I admit, I did not understand what you had written initially properly.
  
  --
  Change is certain; progress is not obligatory.
2. Re:Learn to read by Anonymous Coward · 2015-10-24 10:16 · Score: 0
  
  I admit, I did not understand what you had written initially properly.
  That's hardly your fault.
Fair enough - it happens... apk by Anonymous Coward · 2015-10-24 04:29 · Score: 0

See subject. All I know was the 1st time I put it up I was uprated to +3 Informative (& I hope it was useful to folks).
I'll take a peek @ this anycast item you noted as the source article I used quoting MS folks & about AMAZON didn't note that, iirc.
(However, it's been a LONG TIME since I read it, & I only quote what I saw since detail here is tough - they only let you post so much @ once as AC as I use... still, I was impressed that it IS possible to stop "the unstoppable" attack in DDoS - I also found it funny how AMAZON "lucked out" just by design vs. "Holiday shopping rushes" that 'emulate' DDoS (a lot)).
APK
P.S.=> It's too bad EVERYONE can't set themselves up like MS & Amazon do. The costs are "enormous" & NOT for 'everyone' to do. If they could? Hey - nobody could be DDoS'd, @ least not without them knowing about it up front before it freezes sites dead, knocking out the bogus requests... apk