TalkTalk Customer Data At Risk After Cyber-attack On Company Website

An anonymous reader writes: Police are investigating a "significant and sustained" cyber-attack on the website of TalkTalk, an internet and TV provider, which could have compromised customers' credit card and other personal details. The telecoms provider has 4 million customers in the UK. It is the second time in the past 12 months that TalkTalk customers have been affected by data breaches. "We are continuing to work with leading cybercrime specialists and the Metropolitan police to establish exactly what happened and the extent of any information accessed," the company said on Thursday night after revealing the attack, which took place on Wednesday.

Its chief executive, Dido Harding, said: "We take any threat to the security of our customers' data extremely seriously, and we are taking all the necessary steps to understand what has happened here." TalkTalk was informing its customers immediately about the attack as a precaution, she added.

Accountabilty

[Locke2005]

Only we to stop this from happening is to make companies 100% financially responsible for all loses predicated by their lost data. We need those laws passed now, and then make an example out of the next one, hopefully driving them into bankruptcy.

Re:Accountabilty

[matbury]

Under tort law, they are liable. They clearly failed to put into place sensible and reasonable safeguards to protect their clients' sensitive data. CEO Dido Harding made a press statement that she didn't know if the banking details on TalkTalk's database were encrypted (gross negligence, in my opinion).

However, we live in an age of blameless, shameless corporations who know that, as long as they don't emabarrass any powerful people (that doesn't include politicians), they can get away with just about anything.

Re:Accountabilty

[jonbryce]

Baroness Harding of Winscombe studied Philosophy, Politics and Economics at Oxford. I doubt she even knows what encryption is. She certainly doesn't know the difference between a DDOS attack and an SQL injection attack.

Re:Accountabilty

[mikael]

So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.

In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID

Re:Accountabilty

[tehcyder]

So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.

In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID

It's a lot easier and more convenient to set up a Direct Debit and have it paid each month without having to do anything, especially for things like TV/phone subscriptions which probably don't vary from month to month anyway.

I do not want to have to manually pay my gas, electricity, water, rent, mortgage, life assurance, medical insurance, car insurance, house insurance, pet insurance, gym subs, golf club membership, student loan repayment, charity donations, child support, TV, mobile phone, broadband, credit card bills or whatever each month. I just have to check my monthly bank statement (online) and make sure nothing odd has happened with any of myDirect Debits - and I'm protected if it has.

Hack used SQL injection ..

[nickweller]

'Reports suggest that TalkTalk was subjected to a distributed denial-of-service (DDoS) attack that enabled the attackers to utilise SQL injection techniques. SQL injection allows an attacker to feed commands to a database (that shouldn't normally be accessible) via a poorly-designed website form or input box.'

Re:Hack used SQL injection ..

[JustAnotherOldGuy]

Fucking aye, have these people never heard of sanitizing data, or is that some new-fangled thing?

I rigorously sanitize ALL data coming into my sites (every single input) and I'd be genuinely surprised if a SQL injection would work on any of them.

I mean, it's just not that fucking hard to guard against, why can't these companies full of hot-dog programmers seem to get it right??

Re: Hack used SQL injection ..

[valdezjuan]

It's sad how many people who 'write code' have never heard of input sanitization or output encoding, let alone parameterized queries. They all think it's someone else's job.

Re:Hack used SQL injection ..

Thankfully my past few contracts have been sane, but there are a ton of companies out there who hire programmers (the archetypical "H-1B" talked about on Slashdot who is revered by PHBs), whose focus is lines of code and getting a project to a buildable form to make a ship date. Code quality? Who gives a rat's ass, as long as deadlines are met.

Security is, at best, an afterthought. In this economy, it is better to get a website up and money coming in, and then worry about Bobby Tables when it happens, than to bother with parameterized queries or doing it right. The goal is to meet the ship or go live date, and as a programmer, it is a lot better to make the ship date with no security factored in than slip a deadline to make sure things are tightened down properly. If you slip a deadline, you get fired. A security bug is just another ticket on the Agile system to go fix after the next round of features that marketing wants gets put in.

Re:Hack used SQL injection ..

[AmiMoJo]

Security costs money. The lowest bidder rarely bothers with it, and the company sure as hell isn't going to pay to have it properly tested. As far as the boss is concerned the box was ticked, their bonus was secured.

Re:Hack used SQL injection ..

[ChumpusRex2003]

Except we're not talking about complex security models such as role-based access, split encryption keys, external audits and pen-tests.

This is the most basic level of security: Failure to validate user input, and the continued use of dynamic SQL statements rather than prepared statements - something which is a trivial code modification.
Storing customers bank/credit card details in the web-facing application database (as opposed to communicating them to a payment application/processor or separate internal system) - something which is just totally inept design

Beyond that, it is clear that they don't make use of good development practice. A quick look at the source for their web site shows stuff like inline CSS, comments all over the place, IFRAMES, etc. All that sort of stuff indicates that they don't have adequate code standards, they are unlikely to be using a version control system, and they have no idea what an XSS vulnerability is.

Finally, it is obvious that the communication between their IT department and CEO is sorely lacking. This is the 3rd time they have been hacked and suffered a major data breach. It is clear that they learned nothing the first 2 occasions. The CEO made a public media statement saying that she did not know if customer details, passwords or banking details were stored in an encrypted form, and did not know how long it would take to find out (it's hard to believe that the CEO could not have asked the CTO, or that the CTO wouldn't know, or be able to find out). Moreover, the advice to customers given via the media has also been incorrect (e.g. Q: How do I know if an e-mail purporting to be from talk talk is genuine? Check the "from" address shown in your e-mail software. If it is genuine it would be a talktalk address.)

Re: Hack used SQL injection ..

[JustAnotherOldGuy]

Yep. parameterized queries are good practice and should be mandatory, but even they can be dispensed with if the incoming data is properly sanitized and validated. They're highly, highly recommended and should really always be used, but half of the problems they solve are related to bad or malicious data getting placed into the query.

But people never learn, do they?

It astounds me that I, a lone guy coding in a home office can apparently write safer, more secure code than Sony, Twitter, Samsung, Facebook, IBM, YikYak, Patreon, SAP, Drupal, NASA, Adobe, LinkedIn, Nokia, etc etc etc.

Granted, I don't write nearly as much code, but then I don't have multiple office buildings filled with teams of highly-paid professional coders, either. These are billion dollar companies who don't seem to know the first fucking thing about basic security practices. Incredible.

Re:Hack used SQL injection ..

[JustAnotherOldGuy]

Security costs money.

So does a security breach that tanks your stock or allows money to be siphoned out of the company.

And in fact, security doesn't really cost squat when it's done right and baked in at the code level. I have some fairly robust sanitization libraries that I use over and over and over, and it's not costly nor is it a big deal to simply use them when I build an app or a site. We're talking a few extra seconds of typing to add a call to sanitize(type, size, method) to clean the incoming data.

FFS, if I can do it so can Sony or Nokia or Patreon or TalkTalk or NASA or Facebook or LinkedIn.

Why is this shit still a mystery in 2015??

Re:Hack used SQL injection ..

[nickweller]

Assuming we're being told the truth, it could have been used as a distraction from the main attack. But apparently the hackers got hold of some third-party login credentials using social engineering and used these to leverage access to the customer database. What this unencrypted database was even doing accessible from the Web just beggars incredulity. Are they teaching them anything in computer school nowadays.

Re:Hack used SQL injection ..

[AmiMoJo]

When there is a security breach you play the victim. Evil hackers raped your servers. Anyway, as any pro CEO knows, the trick is to make sure you have moved on by the time it all goes wrong anyway.

Re:Hack used SQL injection ..

[JustAnotherOldGuy]

If you need to sanitise data you are doing it wrong.

This is one of the stupidest things I've ever heard.

Re:Hack used SQL injection ..

[tehcyder]

I am guessing your customers are not allowed to be Scottish because they have a quote symbol in their name.

?

Do you mean Irish (O'hare, O'flaherty etc.)?

Or is this some other quote symbol I am not aware of?

Mc"Manus, Mac"Sweeney et al.

The " is silent.

Eh?

[tomxor]

TalkTalk was informing its customers immediately about the attack as a precaution, she added

And yet slashdot is the first place i heard about it.

TalkTalk Group

[pigsycyberbully]

Looks like they took on too many customers and it was overload. They took all of virgin net dial-up customers in just one day because virgin wanted to switch to broadband cable users only and cable television and telephones. "people in the U.K. hate TalkTalk Telephone and Internet because their sales staff bombard them with special offers nuisance calls and spam". Really? https://en.wikipedia.org/wiki/... "Virgin broadband customers told: we're moving you to TalkTalk and you'll lose your email Virgin Media is transferring 100,000 broadband and home phone customers to TalkTalk, and customers will have 12 months to adopt a new email address. Virgin Media insisted that the transition to TalkTalk would be “seamless” and customers would not lose their connection at any point". I love reading other people's Internet providers homepages. http://community.virginmedia.c... At the moment I'm reading some in Amsterdam find the language hard going I might purchase a server there prices look good.

Re:Really?

[manu0601]

how can we expect anything smaller than a state government to actually handle a concerted attack?

Even government struggle. Remember Russia addressed APT by reverting back to typewriters.

Re:I read they were DDoS'd... apk

[Ash-Fox]

* There's various settings that help I know of (for MS Windows) & DDoS Appliances (IF you have the bandwidth) OR "DDoS-Proof" setups like both Amazon & MS have -> http://yro.slashdot.org/commen... that can help too...

The 'DDoS-Proof' setups that Amazon and Microsoft use tend to rely heavily on anycast and using intelligent webbased end points, they have routers that sit in front that only pass web traffic to those end points, pings to another system and drop other packets. To my knowledge, they don't make use of DDoS appliances for their own provided services (maybe for customers on AWS and Azure, but that's another story).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Learn to read

[Ash-Fox]

I admit, I did not understand what you had written initially properly.