Slashdot Mirror

← Back to Stories (view on slashdot.org)

TalkTalk Hack: 4% of Customers' Data Accessed In Cyber Security Breach

Posted by timothy on from the one-penny-per-quarter dept.

Amanda Parker writes: TalkTalk has announced that 156,959 customers had their personal details accessed as a result of the recent attack on its website, in which 15,656 bank account numbers and sort codes were stolen. In an update, the firm also said the 28,000 credit and debit card numbers that were accessed were obscured, i.e. had part of the number asterixed out, and so are unusable for financial transactions. They were also "orphaned", says TalkTalk, so customers are unable to be verified by the stolen data.

7 of 25 comments (clear)

  1. customers were "accessed" by turkeydance · · Score: 2

    but TalkTalk was "attacked". vice/versa

  2. In related news.... by Anonymous Coward · · Score: 5, Funny

    "TalkTalk" is a thing that exists, apparently.

    1. Re:In related news.... by xaxa · · Score: 2

      Fixed-line internet and phone, plus IPTV. They are also a virtual mobile operator, I don't think they've got many customers for this.

      There are about 27 million households in the UK, so 4 million is a decent portion of the total market.

  3. PCI DSS Compliance by garlicbready · · Score: 2

    One question to ask is, were Talk Talk PCI DSS 3.1 Compliant?
    Were they using software for change control, and logging of device event logs?

    If your storing credit card data, then these standards require you to use software that recomends locking down kit, and logging via event logs to see who's broken in etc
    Also to get the certified you need to be audited by an external auditor, have monthly updates, 3 monthly scans, 6 monthly sotware updates etc.
    I can't help but think with all these break ins, it's just piss poor admin / or cheapness that's at fault

    1. Re:PCI DSS Compliance by garlicbready · · Score: 4, Informative

      Being an admin myself that's had to lock down kit for PCI DSS standards, these work a little differently

      1. First you need to be audited by an external auditor that provides the certificate
      If you don't follow the rules then no certification, bribes don't work ether, and most of these guys are really thorough.

      2. The network needs to be seperated into DMZ and Protected zones, the credit card data only exists within the Protected zone and there's no direct contact from that zone to the internet, it has to go through a hardware firewall via the DMZ to get to the outside.

      3. Typically you install software such as NNT or Tripwire, this monitors every change on the box from dll's being replaced to the smallest change such as Antiirus updates. Filtering and managing this can be a full time job as an admin, usually the software has stuff inbuilt to filter down av updates for example.

      4. Next you usually have a set of reports usually built into the same monitoring software that run against all the hardware and check a large number of security settings, most of these can be setup via GPO's some can actually lock it down to the point where the hardware becomes unusable so it can be a comprimise sometimes.

      5. Section 10 means that all event logs from all devices need to be captured into a database, this also has a reporting mechanism setup for example if someone tries to brute force the firewall within x minuites or so. minimum storage time is 12 months, also there should be off site backups

      6. Every month windows updates need to take place, every 3 months there needs to be scans via software such as Nessus internally, external scans usually via the auditor. Every 6 months a review of the firewall rules, updates to all the software such as cisco firmwares etc.

      7. 2 factor authentication is mandatory (yubikey and a password), all access to the kit should also be ip restricted.

      8. All code is audited, software devs have to go on training courses, read up on security standards (try googling secure string in C#, or wasp)

      The paperwork is horrendous, but it's far from checking boxes, a lot of work has to go into hardening kit for the PCI DSS complaince.
      Most of the settings you have to change on the kit to harden it usually originate from ether Nessus scans or the complaince reports run from the monitoring software and there's a lot of it.

  4. Four percent of customers' data hacked .. by nickweller · · Score: 2

    How do TalkTalk know how many records were downloaded, as TalkTalk didn't even notice when the original hack took place.

    1. Re:Four percent of customers' data hacked .. by Zaiff+Urgulbunger · · Score: 2

      How do TalkTalk know how many records were downloaded, as TalkTalk didn't even notice when the original hack took place.

      The police have arrested some children and asked them.