TalkTalk customer details at risk, after yet another internet attack

TalktalkWhat do they say about trouble coming in threes?

UK telecoms operator TalkTalk has revealed that it has once again suffered at the hands of hackers, and that details of four million customers might have been compromised.

We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed

What information might be at risk? Customers' names, addresses, dates of birth, email addresses, telephone numbers, account information, and (gulp!) credit card and/or bank details.

TalkTalk says "not all of the data was encrypted", without - unfortunately - sharing any details on specifically what customer information was and wasn't encrypted.

Talktalk warning

Sounds pretty bad, doesn't it?

What makes it worse is that this isn't the first time that TalkTalk has suffered at the hands of hackers and fraudsters. In fact, this is the third big security incident to impact TalkTalk in the last 12 months.

In case you've forgotten, we know that hackers stole the personal details of thousands of TalkTalk customers, and used them to commit scams over the telephone, after a breach involving a third party contractor which had legitimate access to customer account details. TalkTalk told its customers about that breach in February 2015, although rumours had been bubbling since the previous December.

Then, more recently, some 480,000 TalkTalk customers were said to have been impacted in the hack of British mobile phone retailer Carphone Warehouse.

After these incidents, many TalkTalk customers have been complaining about being on the receiving end of scam phone calls from fraudsters pretending to be TalkTalk, sometimes claiming that they want to warn users about malware infections on their computer.

Just a few days ago, I had a BBC TV crew visit me for a consumer affairs programme they are making, discussing the case of one man who has lost over £2000 after fraudsters stole his account details and personal information from TalkTalk.

And now this.

TalkTalk says it has contacted major banks, and asked them to monitor unusual activity on customers' accounts, and the company's chief executive, Dido Harding, says that customers will be getting a year's free credit monitoring.

Only time will tell if that will be enough to restore trust amongst TalkTalk's customers.

Update: TalkTalk says it has received a ransom demand.

Tags:

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

22 Responses

  1. John

    October 23, 2015 at 8:53 am #

    This is pretty painful – I guess any "business case" for TalkTalk, for what was left of it, has now been truly crashed. It's even hitting headlines on continental Europe.

    From the FAQ: "Not all of the data was encrypted. We constantly review and update our systems to make sure they are *****as secure as possible*****. We’re working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future"

    Yeah – right. If it were not for the trouble this hack brings upon the customers, I would be LMAO about such sheer incompetence and neglect.

    Some lousy "credit monitoring" won't be of a really great help to TalkTalk's customers, I know that from my own experience (The 2005 Stratfor hack). At the time I got some credit monitoring, which basically was monitoring whether my credentials or credit card details would pop somewhere in underground scenes. If so, I would be (just) notified about it – and that was about it. No coverage, no action plans. Errr – even the standard terms & conditions from my credit card company, against fraud & a pro-active fraud-prevention do a better job)

    Bye bye, Talk Talk
    Talk to you later!
    Errrr… not! :o)

  2. Theo Ccupier

    October 23, 2015 at 9:20 am #

    Well, shame on them, seems they will never learn, and as usual their customers are the ones that will suffer.

    Why, because they didn't follow good security practices. As the security arm of the Daleks would say "ENCRYPT, ENCRYPT, ENCCRRYYYPPPPTTTTTTT", although they may have used the words patch, secure, protect, monitor and TEST too.

    A determined hacker will always find a way in, but not following industry best practice is commercial suicide in today's always on world. Customers will not forget that a company has been hacked and lost "their" personal data.

    It is ironic that TalkTalk are offering a free year of access to Experian, as Experian were recently hacked and a load of USA T-Mobile data was stolen (amongst other data)….doesn't bode well!

    http://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information

    You even covered the Experian hack on your esteemed blog; maybe TalkTalk should talk to you about security? ;-)

    • Graham Cluley in reply to Theo Ccupier.

      October 23, 2015 at 9:21 am #

      They tried calling me – but the reception was terrible.

      • Theo Ccupier in reply to Graham Cluley.

        October 23, 2015 at 9:44 am #

        Who tried, the Daleks, or TalkTalk ? O:-) If the Daleks, then that is not surprising, if it was TalkTalk, then shame of them as thy are on the same planet as you; less of a latency issue…

    • Graham Cluley in reply to Theo Ccupier.

      October 23, 2015 at 9:22 am #

      BTW, the Daleks have a security arm? Is that to differentiate them from the accounting arm, the needlework department and the tiddlywinks club?

      (And it’s not an arm anyway. It’s an egg whisk and a sink plunger)

      • Theo Ccupier in reply to Graham Cluley.

        October 23, 2015 at 10:02 am #

        Yes, to differentiate them from the crown-green bowls team, the stair climbing and escalator accent team, the scuba diving team, the four dimensional chess team and the anti-fraud team (who investigate dustbins to make sure they are not renegade Daleks)…

        Yes, I know they don't have physical arms, having tentacles/appendages instead, as they are living, breathing beings inside tin cans (to keep them fresh and tasty, maybe?)

        As to the plunger, don't remind me, I still have the nightmares! Although the egg-whisk has more pleasant connotations (Allo', Allo')

    • Rick in reply to Theo Ccupier.

      October 25, 2015 at 10:38 pm #

      Encrypt?? Encrypt, what?? Data at rest, or data in motion (aka, in flight)??

      The best defense is a good offense – strong physical systems, like a MAINFRAME, and solidly coded applications – limiting PPI data movement, as a best practice.

      Just two common sense methods to securing private, personal information / DATA!

      Yeah, so avoid, mysql, no-sql, open source hackable software solution methodologies – considering, they STINK – any highschooler / grade-schooler can hack that windows based stuff!!

      True business system engineer – no simpleton solutions, here, Baby

      ;-]

  3. Paul

    October 23, 2015 at 9:34 am #

    As a security precaution I decided to change my acocunt password on my TalkTalk account.
    You know what?
    Upper and lower case letters and numbers only ….. no characters allowed. !"£$%^&*()_+ !!!!

    • Bob in reply to Paul.

      October 23, 2015 at 9:46 am #

      And this is half of the problem; they haven't a clue.

      I'm not surprised their share price has fallen by 9%

      Not encrypting is unforgivable and by a third breach you'd think they'd have learnt. This will acutely affect the average person who reuses their passwords and/or security questions.

  4. peter

    October 23, 2015 at 9:38 am #

    So much for PCI-DSS compliance eh?

    What 'protection' was in place for cardholder details? Did they store the CVV? Which elements of the cardholder details were lost?

    So many quaestors, so few answers

    unencrypted databases + poor security controls = you're buggered!

    message to all CEO's – scrimping on Information Security can destroy your business

  5. Martin Hepworth

    October 23, 2015 at 10:19 am #

    More rolls of the databreach dice done…
    http://www.theguardian.com/business/2015/oct/22/talktalk-customer-data-hackers-website-credit-card-details-attack?CMP=fb_gu

    the security of our customers’ data extremely seriously
    Police are investigating a “significant and sustained”

    Just waiting for the the statement from Mandiant about "sophisticated and targetted" so add to the list and I can win Bingo!!
    But this mess has been going for years, even before the current mgmt who supposedlty turned the business around…

  6. Dereck

    October 23, 2015 at 10:24 am #

    The ICO and PCI should have a field day with TalkTalk and make an example of them. This is the third time this year (that we know about) and it wouldn't surprise me if Customers move away from TalkTalk in their droves. The interview of their CEO on the BBC shows how strained she is, and so she should be, the buck stops here and she should do the honourable thing. To be hacked once and lose Customer information is unfortunate, twice shows a lack of learning from your lessons, but a third time is downright negligent.

    Their response to send e-mails to everyone is a really good idea – now the criminals will latch onto that (especially as they have Customer's e-mail addresses) and send out targeted phishing attempts to get maybe the last piece of information they need to do a concerted attack on Customer's finances. Great incident response planning, or lack of.

    A simple risk management exercise after the first attack would have shown the need to improve their cyber defences before it happened again, but did they? Some nameless fool probably thought the likelihood of it happening twice (let alone 3 times) was so remote that it wasn't worth spending money on to mitigate the risk. Just making a diary reminder to not look at the CV of a security professional from TalkTalk.

    • Graham Cluley in reply to Dereck.

      October 23, 2015 at 10:26 am #

      We probably shouldn't be too quick to criticise the security team at TalkTalk. I'm sure they are professionals, and – if there were any security concerns – were aware of them.

      After all, it's possible that their bosses did not give them the time and resources to fix the security issues.

      In short, I think it's a little soon to suggest that no-one should hire a security guy who has TalkTalk on his CV.

      • peter laycock in reply to Graham Cluley.

        October 23, 2015 at 10:46 am #

        Indeed – Information Security is only as good as the investment in it – don't blame those on the front line.

      • Simon Plummer in reply to Graham Cluley.

        October 23, 2015 at 10:53 am #

        A common issue within the field- everyone see's security as a cost centre rather than a 'cost to do business'. Where it is required, senior leaders often feel that as long as the IT side is covered the rest (i.e. policy, process, people etc) can be done for little or no cost. Unfortunately it is events like this that enable the field to articulate the messages given factual views.

      • coyote in reply to Graham Cluley.

        October 24, 2015 at 2:40 am #

        Also, we can all be bested.

        Even those with a lot of experience, a lot of knowledge, there is always someone out there that can get the better of you. Maybe it is by a different way of looking at the problem, or maybe they found a design flaw that you simply missed (it happens to everyone, even the best). And then there is the killer of social engineering (and phishing).

        And in any case, speculation without a thorough investigation is not helpful but actually harmful. That's the important point. Until the full story is known, you can't really judge properly – you can make anything be (appear to be) reality if you distort it enough, take it out of context or ignore certain things. People are also gullible which only makes this easier and more likely still.

  7. John Lewis

    October 23, 2015 at 11:21 am #

    Although I have noticed a big increase in demand for contract security professionals in recent months most of the roles have been at a low day rate and I question whether company Boards are yet taking security really seriously. One company I know had a £2bn order withheld due to a breach by a nation state (who we are now sucking-up to). That got the Board's interest. Hopefully a big drop in share price at TalkTalk will be a wake-up call but I doubt it.

  8. John

    October 23, 2015 at 1:00 pm #

    There has been no information regarding whether or not this data breach affects accounts transferred in to TalkTalk from the Tesco Broadband acquisition.

    Any idea?

    • Graham Cluley in reply to John.

      October 23, 2015 at 1:33 pm #

      Don't know I'm afraid – we need TalkTalk to share more information.

      • Philip Sharp in reply to Graham Cluley.

        October 28, 2015 at 8:51 am #

        Hi,

        I am in the same situation and have thankfully found out that Tesco customers are not affected,

        http://www.tescobroadband.com/Help-and-Support/Articles/View/8118

  9. Keith Appleyard

    October 23, 2015 at 4:50 pm #

    I have a business account with TalkTalkBusiness.net : as of 4pm on Friday I still haven't any form of notification from TalkTalk as to whether or not we are in scope.

  10. Peter Gray

    October 25, 2015 at 9:47 am #

    I was having problems with Talk Talk for months, during the first scam I almost lost 800 after I foolishly fell for their (the scammers), claims that they were from Talk Talk and that my computer was showing problems. Believing they were genuine I got sucked in, my computer was hacked and finished,but my bank saved me from losing any money. Since then I have received almost daily calls saying "Hello this is Talk Talk technical department" I got so fed up with it I ended up telling them to F*** Off but they still continued.
    I complained to Talk Talk dozens of times and even wrote to the C.E.O. but received no reply. I have now changed my service provider and hey presto the calls have stopped, even though my phone number is still the same, could this suggest an insider job at Talk Talk ? Talk Talk also expect me to pay up the contract of 200 pounds + even though I have been with them for six years. I have taken out a small claims court case against them for my computer and the 200 +.pounds

Leave a Reply