Slashdot Mirror

← Back to Stories (view on slashdot.org)

TalkTalk Hack: 4% of Customers' Data Accessed In Cyber Security Breach

Posted by timothy on from the one-penny-per-quarter dept.

Amanda Parker writes: TalkTalk has announced that 156,959 customers had their personal details accessed as a result of the recent attack on its website, in which 15,656 bank account numbers and sort codes were stolen. In an update, the firm also said the 28,000 credit and debit card numbers that were accessed were obscured, i.e. had part of the number asterixed out, and so are unusable for financial transactions. They were also "orphaned", says TalkTalk, so customers are unable to be verified by the stolen data.

25 comments

  1. customers were "accessed" by turkeydance · · Score: 2

    but TalkTalk was "attacked". vice/versa

    1. Re:customers were "accessed" by Anonymous Coward · · Score: 0

      And according to the article 28,000 cards "had part of the number asterixed out, and so are unusable for financial transactions". Presumably because they were attacked by everyone's favourite fictional Gaul?

      That aside, TalkTalk have bent over backwards to minimise reports of any damage they'd have to admit to, so I'll take this with a pinch of salt until I hear further.

  2. Seen much worse, yet SO MUCH press coverage. by Anonymous Coward · · Score: 0

    Anyone would think the government were trying to introduce seriously intrusive anti-technology laws and wanted to make a point of EVIL HACKERS trying to TERRORISE our DEMOCRACY.

    1. Re: Seen much worse, yet SO MUCH press coverage. by BarbaraHudson · · Score: 1

      4%? Big deal. You won't see any changes until the 1% have THEIR data swiped.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    2. Re: Seen much worse, yet SO MUCH press coverage. by Anonymous Coward · · Score: 0

      If it ever happens, computers for public use will be banned and an amnesty period introduced to have them replaced by "secured" and "children-friendly" appliances. The 1% is God.

    3. Re:Seen much worse, yet SO MUCH press coverage. by eneville · · Score: 1

      Its this sort of of thing that draws attention to government data warehousing projects that have leaky data. Not the sort of thing the government should draw attention to.

      --
      Why UNIX?
  3. In related news.... by Anonymous Coward · · Score: 5, Funny

    "TalkTalk" is a thing that exists, apparently.

    1. Re:In related news.... by KGIII · · Score: 1

      According to someone from the UK, in a previous thread on this subject, TalkTalk is actually large service provider (internet and cellular phone services - as I recal) in the UK with some fairly decent numbers. Though, a quick bit of math in my head indicates this number is only 4,000,000 or slightly less. So, I'm not sure how that relates to the prior comments about the business? Maybe there were only four million customers for this particular service? The prior poster indicated that TalkTalk was 4th in one market and 2nd in the other. Which was which is a memory that is gone - it didn't seem important at the time and isn't important enough for me to actually go to Google and figure out the applicable keywords.

      --
      "So long and thanks for all the fish."
    2. Re:In related news.... by xaxa · · Score: 2

      Fixed-line internet and phone, plus IPTV. They are also a virtual mobile operator, I don't think they've got many customers for this.

      There are about 27 million households in the UK, so 4 million is a decent portion of the total market.

  4. PCI DSS Compliance by garlicbready · · Score: 2

    One question to ask is, were Talk Talk PCI DSS 3.1 Compliant?
    Were they using software for change control, and logging of device event logs?

    If your storing credit card data, then these standards require you to use software that recomends locking down kit, and logging via event logs to see who's broken in etc
    Also to get the certified you need to be audited by an external auditor, have monthly updates, 3 monthly scans, 6 monthly sotware updates etc.
    I can't help but think with all these break ins, it's just piss poor admin / or cheapness that's at fault

    1. Re:PCI DSS Compliance by Anonymous Coward · · Score: 0

      One question to ask is, were Talk Talk PCI DSS 3.1 Compliant?

      One question to ask is: have you ever had to comply with privately written regulations? An invariable exercise in playing a game to make sure a few boxes can be checked by the easiest path possible, and outright prevaricating when you know there's no way anyone'll check.

      There are two types of regulation I worry about:

      1. At a corporate level, government regulators - despite the right-wing mythology, a lot of public servants are highly competent and driven by the desire to make things better (otherwise they'd have a better paid job elsewhere). What's more, they have the force of the law and the resources to inspect, and they know it. Exception if I'm working for a huge business that has also successfully engaged in regulatory capture, or where political asshattery has underfunded a particular agency/ministry/whatever you call it locally.

      2. At a personal level, the ethics standards of my professional body. I worked a very long time to get those postnominals, they are essential to my field, and my pers will have no hesitation in disciplining me or kicking me out if I misbehave.

      But "industry regulation" is almost always just a bit of fun. If I make something that works, it's because there is value in making things that work. There may absolutely be best practices, perhaps documented by an indpendent and well-respected organisation. But "compliance" with xyz usually means fuck all.

    2. Re:PCI DSS Compliance by garlicbready · · Score: 4, Informative

      Being an admin myself that's had to lock down kit for PCI DSS standards, these work a little differently

      1. First you need to be audited by an external auditor that provides the certificate
      If you don't follow the rules then no certification, bribes don't work ether, and most of these guys are really thorough.

      2. The network needs to be seperated into DMZ and Protected zones, the credit card data only exists within the Protected zone and there's no direct contact from that zone to the internet, it has to go through a hardware firewall via the DMZ to get to the outside.

      3. Typically you install software such as NNT or Tripwire, this monitors every change on the box from dll's being replaced to the smallest change such as Antiirus updates. Filtering and managing this can be a full time job as an admin, usually the software has stuff inbuilt to filter down av updates for example.

      4. Next you usually have a set of reports usually built into the same monitoring software that run against all the hardware and check a large number of security settings, most of these can be setup via GPO's some can actually lock it down to the point where the hardware becomes unusable so it can be a comprimise sometimes.

      5. Section 10 means that all event logs from all devices need to be captured into a database, this also has a reporting mechanism setup for example if someone tries to brute force the firewall within x minuites or so. minimum storage time is 12 months, also there should be off site backups

      6. Every month windows updates need to take place, every 3 months there needs to be scans via software such as Nessus internally, external scans usually via the auditor. Every 6 months a review of the firewall rules, updates to all the software such as cisco firmwares etc.

      7. 2 factor authentication is mandatory (yubikey and a password), all access to the kit should also be ip restricted.

      8. All code is audited, software devs have to go on training courses, read up on security standards (try googling secure string in C#, or wasp)

      The paperwork is horrendous, but it's far from checking boxes, a lot of work has to go into hardening kit for the PCI DSS complaince.
      Most of the settings you have to change on the kit to harden it usually originate from ether Nessus scans or the complaince reports run from the monitoring software and there's a lot of it.

    3. Re:PCI DSS Compliance by khasim · · Score: 1

      1. First you need to be audited by an external auditor that provides the certificate
      If you don't follow the rules then no certification, bribes don't work ether, and most of these guys are really thorough.

      I had the joy of TrustWave auditing systems during a PCI check.

      No. "Thorough" is not a word I would use in that situation. They followed a checklist and their involvement began and ended with that checklist.

      Every 6 months a review of the firewall rules, updates to all the software such as cisco firmwares etc.

      The "review" consisted of matching change requests with rules. As long as there was a request for each rule, they did not care what that rule did.

      7. 2 factor authentication is mandatory (yubikey and a password), all access to the kit should also be ip restricted.

      2 factor, yes. IP restricted? We passed even though there was access through the wireless network. FROM CHINA. Yes, there was an office in China and it had wireless access and you could connect to the PCI environment from there. Provided you had the 2 factor fob.

      The paperwork is horrendous, but it's far from checking boxes, ...

      No. It is only checking boxes.

      Compliance is not security.

      Which is why you're seeing so many sites being cracked. The crackers aren't that good. The security is that bad.

    4. Re:PCI DSS Compliance by Anonymous Coward · · Score: 0

      Please bear in mind that PCI DSS is an industry requirement that has no legal bearing in the UK [where TalkTalk are operating]. That in no way diminishes the common-sense value of the question that you ask, but it does limit the potential legal defense for UK citizens. This particular company has experienced multiple data breaches [I think this is at least their third] but currently UK law provides for no requirement for companies to hold Personal Information securely in a way that is accompanied by legal redress if they fail to do this.

      To give you an idea of how bad this is for UK citizens, there is an ongoing story being covered by the UK press at the moment, in which one TalkTalk customer has had £3,500 taken from their bank account and for which TalkTalk has refused to even discuss compensation, but instead offered them the sum of £30.50 as a refund for cancelling a paid-in-advance subscription early.

      The problem for the individual concerned is that, without an explicit requirement on the statute books, the only way they can expect compensation from a hostile company is to take them to court in a civil case. For their part TalkTalk will not want to pay, because doing so will be seen as a precedent.

    5. Re:PCI DSS Compliance by drinkypoo · · Score: 1

      If you don't follow the rules then no certification, bribes don't work ether, and most of these guys are really thorough.

      How much did you offer them? Since you know bribes don't work, you must have offered one.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:PCI DSS Compliance by xaxa · · Score: 1

      In the example you give, shouldn't the bank refund the money (they're the ones trusted to keep it) and the bank chase TalkTalk for compensation?

    7. Re:PCI DSS Compliance by garlicbready · · Score: 1

      The key things are:

      1. software that monitors every file change on the system, dll's exe's running apps, running services
      2. software that monitors all event logs and emails you when certain patterns emerge such as brute force attempts
      3. spending months turning off a gazillion group policy settings, or cisco settings to harden kit
      4. Nessus is very good at flagging up open ports / (such as Avira's remote management ports for example), or the fact your not using ldaps for your domain

      That is not checking boxes, and that is required to get a certificate
      That being said there are different auditors and from a higher management point of view it's going to pay to go with the ones that cause the least amount of hassle
      The last auditors we had included an ex police officer and a pro sys admin, the ones we're currently with also study our cisco configs for the switches and the firewalls to generate reports on advisories for stuff to change.

  5. Four percent of customers' data hacked .. by nickweller · · Score: 2

    How do TalkTalk know how many records were downloaded, as TalkTalk didn't even notice when the original hack took place.

    1. Re:Four percent of customers' data hacked .. by Zaiff+Urgulbunger · · Score: 2

      How do TalkTalk know how many records were downloaded, as TalkTalk didn't even notice when the original hack took place.

      The police have arrested some children and asked them.

    2. Re:Four percent of customers' data hacked .. by AmiMoJo · · Score: 1

      Would they admit to more than the police can prove with Talk Talk's evidence?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. as a talk talk customer: by Anonymous Coward · · Score: 0

    I've still yet to be informed about this formally... hooray for talk talk... bye talk talk !

  7. This wouldn't have happened if they were AppApp! by Anonymous Coward · · Score: 0

    Modern app appers know that only apps can app apps, so if they renamed themselves from LUDDITE TalkTalk to modern AppApp, they would be 100% secure!

    Apps!

  8. Who? Who? by Anonymous Coward · · Score: 0

    Why do I get the feeling we're being shown a different version of Tommy Lee's dong?

  9. asterixed? by seebs · · Score: 1

    Asterixed out: Having little cartoon dudes with magic strength potions drawn over them.

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/