Inquiry into TalkTalk hack has its own web security issue


Oh dear.

The UK Parliament’s Culture, Media and Sport Committee has launched an inquiry “into cyber security following the recent cyber-attack of TalkTalk’s website.”

Parliament inquiry

Nothing wrong with that, of course.

And the committee is inviting those with opinions to send in their submissions by November 23.

Ok, that sounds fair enough.

But… do you see something amiss when you go to the form where you are supposed to submit your information?

Submission form

Yes, that’s right. The webpage doesn’t use HTTPS.

In other words, anything you enter onto the page, and the files you attach, *could* be intercepted by someone snooping on your Wi-Fi connection. So there goes your name, address, email address, phone number, as well as any other information you attached in your submission…

This isn’t a way to do website security.

By the way, in case you weren’t aware, TalkTalk CEO Dido Harding is a Conservative Peer (going by the title of Baroness Harding of Winscombe).

She is married to Conservative MP John Penrose.

John Penrose was, until 2012, the Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport.

Small world isn’t it?


Tags: , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

3 Responses

  1. drsolly

    November 5, 2015 at 3:29 pm #

    I can’t help feeling a bit sorry for TalkTalk, because they’re so completely out of their depth, and even more for Dido, who looks like a puppy that has just been swiped by a rolled-up newspaper and hasn’t the faintest idea what she could possibly have done wrong and how to make the wielder of the newspaper happy.

    I’d like to give her a biscuit.

    • furriephillips in reply to drsolly.

      November 5, 2015 at 7:02 pm #

      Bloody hell, I wouldn’t give her a biscuit! She looks like she needs a hug, a good night’s sleep & maybe a new job.

      That aside, TalkTalk needs a slap around the face with a wet fish. They’ve been operating like incompetent fools, with their heads in the sand. Their disregard for customer data and apparent lack of interest in and nouse about security, just makes me think they really don’t deserve to be in business - certainly they don’t deserve and never will get mine.

  2. coyote

    November 5, 2015 at 10:00 pm #

    In fact, a 15-year-old could probably tell you this isn’t the way to do website security - but they’re probably too busy looking for SQL injection exploits and launching denial-of-service attacks to bother with this.’

    Thanks for that, Graham. As I saw the 15 year old could probably tell you …(read more than one word at a time but ended up around there), I hoped you would end up where you did in some way or another (I only thought of SQL injections though, not DoS attacks, so you went beyond my expectations there).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.