TalkTalk hacked - data theft likely

[Simon]

Police are investigating after a "significant and sustained cyber-attack" on the TalkTalk website, the UK company has confirmed.  The phone and broadband provider, which has over 4 million customers in the UK, said credit card and bank details could have been accessed.

http://www.telegraph.co.uk/news/uknews/law-and-order/11949468/TalkTalk-phone-network-hit-by-significant-cyber-attack.html

[Gary]

Police are investigating after a "significant and sustained cyber-attack" on the TalkTalk website, the UK company has confirmed.  The phone and broadband provider, which has over 4 million customers in the UK, said credit card and bank details could have been accessed.

http://www.telegraph.co.uk/news/uknews/law-and-order/11949468/TalkTalk-phone-network-hit-by-significant-cyber-attack.html

Ouch, they are saying up to 4 million users bank details 

[JB]

TalkTalk's own info page is here:-

http://help2.talktalk.co.uk/oct22incident

The words 'horse' and 'stable door' spring to mind.

One questions whether this organisation is qualified and careful enough to hold personal data of this nature and whether it is 'fit for purpose' at all!

[Clive]

In customer satisfaction ratings they come out even worse than BT.  That takes some doing!   

[Simon]

Now they've had a ransom demand:

http://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack-company-has-received-ransom-demand

It does bring into question how seriously do big companies take the security of customer data.  I wonder how many more 'accidents waiting to happen' there are?  They always seem to jump into action when it's too late.  I've recently had an attempted fraudulent purchase on my credit card.  Fortunately, the Halifax were on the ball and blocked it, but I've still had to go through the inconvenience of having to cancel and replace my card.

[Technical Ben]

Ouch, they are saying up to 4 million users bank details 

Not to worry, it's the same team that provide "up to unlimited" and "up to 20meg", so the real results will be only a handful...  (I'll get my own coat and escort myself out)

[zappaDPJ]

This is not the first time they have been hacked, or the second. A horrible company with horrible business practices and an idiot for a CEO. How can you play the victim when you've put your customer's unencrypted data up for plunder.

[Gary]

Now they've had a ransom demand:

http://www.theguardian.com/business/2015/oct/23/talktalk-cyber-attack-company-has-received-ransom-demand

It does bring into question how seriously do big companies take the security of customer data.  I wonder how many more 'accidents waiting to happen' there are?  They always seem to jump into action when it's too late.  I've recently had an attempted fraudulent purchase on my credit card.  Fortunately, the Halifax were on the ball and blocked it, but I've still had to go through the inconvenience of having to cancel and replace my card.

I think Simon we probably don't really want to know how many times our data is held in plain text somewhere and not encrypted 

[nowster]

I seem to remember TalkTalk (via Opel Communications) has some relationship with the Martin Dawes TV rental chain of years gone by. I could be wrong, though.

[mervl]

  You'll all know much more about this than me. But TalkTalk have been busy on the acquisition trail, with may be (if my experience of one of them is anything to go by) a few shabby outfits among them. It seems to me that when you're in a hurry to merge different legacy systems (and even earlier legacy systems from previous botched acquisitions too), rather than upgrading everyone to the best which takes time (a lot of it) and money, there's a risk everyone gets brought down to the lowest common denominator (quicker and cheaper). Another benefit of competition, perhaps? It's a reason why I've always been a bit wary of businesses that gobble up everything in sight or grow exponentially for concern about the chaos behind the scenes when they try to slam everything together.  When consumers want the fastest internet for a few quid something has to give, doesn't it? And it's not just for big ISPs and telcos (see consumer Banks) that backoffice systems seem to be the weakest link. Most goods seem to be sold on their packaging.

[zappaDPJ]

'Lowest common denominator' is an apt description for TalkTalk. Phone slamming, miss-selling, unsolicited telemarketing, Phorm, URL harvesting, Tiscali, Big Brother, The X Factor... all associated with TalkTalk.

[Technical Ben]

I use to feel sorry for my friends who bought talk talk, for the social tricks the company plays to get people to sign up (even if it's just "cheapest" some times).

Now I feel sorry because it could be real harm caused to them.

Oh, and the street seller for TT on Thursday had nothing much to say to me, but only because I told them "I already sell BB myself!*" 



*We have a contract at the shop I work at for one supplier and leads.

[Technical Ben]

My confidence in the BBC news has now gone from zero (was rather higher, oh well), to -100. They just reported:
http://www.bbc.co.uk/news/uk-34631315
"Customer suspects Talktalk was hacked months ago as someone called pretending to be Talktalk."
Well, duh. People get bogus calls all day long from numerous people pretending to be whomever. Why is the BBC so clueless and/or deceitful?

Well, I guess I could answer that for myself.

[mervl]

My confidence in the BBC news has now gone from zero (was rather higher, oh well), to -100. They just reported:
http://www.bbc.co.uk/news/uk-34631315
"Customer suspects Talktalk was hacked months ago as someone called pretending to be Talktalk."

I thought even TT admitted this was the third attack they'd suffered in the last 12 months or so? Can't expect a journo to make the link though.

Most news is "info-tainment" anyway. Can't really remember the last time that anything which I actually know about was reported fully and accurately. That's not the point, however. It's the attraction of gossip over facts. Both tell a truth, in their way. Whether we pay more attention to one or the other, and whether we bother with the difference, is our choice.

[zappaDPJ]

There was a rather crazy (imho) landmark judgement regarding data protection which was upheld by the court of appeal not so long ago that could substantially damage TalkTalk. Vidal-Hall et al v Google sets out that claimants may recover damages under the Data Protection Act 1998 for non-material loss. Any decent lawyer should know this so I would expect to see a massive class action brought against TalkTalk.

[mervl]

There was a rather crazy (imho) landmark judgement regarding data protection which was upheld by the court of appeal not so long ago that could substantially damage TalkTalk. Vidal-Hall et al v Google sets out that claimants may recover damages under the Data Protection Act 1998 for non-material loss. Any decent lawyer should know this so I would expect to see a massive class action brought against TalkTalk.

Yep, that's what scares everyone in the industry, and I suspect accounts for their behaviour. Hence the drip feed "disclosure"/offer of free credit reporting/we'll treat requests to leave on their merits (mitigation)/"it's not so bad after all as we first thought". The problem is the DPA, perhaps. What exactly does it require in terms of security? Even more in the new industries (but even in the old) nothing comes with an absolute guarantee. And what is the quantum of damages in the case of non-pecuniary loss? The ICOs decision will be interesting, the more so since they talk tough. Like you I'm not sure the CA really thought through their decision. But without case law on quantum, you could say they kicked the can down the road. These days too they have half an eye on the ECHR so are more inclined to find in favour of the individual. Most of us would say rightly compared to the past, but it causes problems for business upon which we are all economically dependent. Judges too as much as politicians have problems coming to terms with the ubiquitous "new" technology now that B2B type stuff is available to us all. But yes, us lawyers will make hay in any event.

[Tacitus]

Bit OT but does anyone know if iDNet use TT's wholesale network in addition to BT's network?  At one time I think they used BE(?) largely for failover/load balancing since they were having major problems with BT.

[Simon]

Bit OT but does anyone know if iDNet use TT's wholesale network in addition to BT's network?  At one time I think they used BE(?) largely for failover/load balancing since they were having major problems with BT.

I don't recall ever hearing it mentioned, Tac.  Even if that were the case, I doubt that any third party network being utilised would hold IDNet's customers account details.

[Tacitus]

Even if that were the case, I doubt that any third party network being utilised would hold IDNet's customers account details.

Agree Simon I doubt they would hold any personal information.  I was really curious as to whether iDNet still used any other network apart from BT Wholesale.  In recent times we've not heard any horror stories about major failures, so it seems BT may be more reliable than they were so the question might not arise. 

[Simon]

Seems now it was a kid!

http://www.bbc.co.uk/news/uk-34643783

[Clive]

 

[mervl]

Seems now it was a kid!

If so, why would anyone be surprised? Kids regularly seem to break the American Department of Defense security, supposedly the tightest on earth. Maybe the kid has done us all a favour if he shakes us out of our complacency. So now we can all get back to sleepwalking . . .

[Technical Ben]

Kids have a habit of phoning up and asking for silly things over the phone all the time. Back then it was called a prank. Not a "hack".