Skip to content
Naked Security Naked Security

TalkTalk keeps talking about that data breach but never says the right thing

With every new piece of information about the TalkTalk breach, we seem to get no closer to the truth about what exactly happened, who was responsible, and what TalkTalk is doing to fix this messy affair.

TalkTalk

Information about the data breach at UK telecom group TalkTalk has continued to drip out since the company announced a “cyberattack” on its website (on 22 October 2015).

Yet, with every new piece of the puzzle, we seem to get no closer to the truth about what exactly happened, who was responsible, and what TalkTalk is doing to fix this messy affair.

On a positive note, the police seem to be making progress in the breach investigation.

Two more suspects were arrested in recent days, The Metropolitan Police announced: a 20-year-old man at an address in Staffordshire; and a 16-year-old boy in Norwich, arrested Tuesday (3 November 2015), became the fourth suspect arrested in connection with the breach.

Two teenaged boys (ages 15 and 16) were previously arrested on suspicion of Computer Misuse Act offenses, but the police haven’t said anything more about what these four young men are suspected of doing, and for what purpose.

TalkTalk has continued to update the public on the breach at a dedicated webpage, and on Friday (30 October 2015), the company was finally able to explain precisely how much data was lost:

  • Fewer than 21,000 unique bank account numbers and sort codes
  • Fewer than 28,000 obscured credit and debit card details (unencrypted, but with the middle 6 digits removed)
  • Fewer than 15,000 customer dates of birth
  • Fewer than 1.2 million customer email addresses, names and phone numbers

Although bank account numbers on their own can’t be used by cybercriminals for fraud, TalkTalk says, customer names, email addresses, birth dates and phone numbers can be used for a variety of scams and phishing attacks.

TalkTalk CEO Dido Harding made yet another statement, confirming that the scale of the attack was “much smaller” than initially thought, but:

... this does not take away from how seriously we take what has happened and our investigation is still on going. On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that.

We’ll have to assume that Harding hasn’t read Naked Security writer Mark Stockley’s tongue-in-cheek but dead accurate take on what companies sound like after a data breach.

If she had, she would have known that comments about just how “seriously” she takes a security breach of this magnitude only makes it sound like it wasn’t all that serious a consideration beforehand.

With her numerous public statements, Harding has given the appearance of  transparency, but she may only be muddying the waters with contradictory and even factually incorrect statements.

For example, Harding may have been correct in saying that TalkTalk was “not legally required” to encrypt customer data under the 1998 Data Protection Act, but she also stated that “we don’t store unencrypted data on our site,” according to a thorough tick-tock of the data breach compiled by The Register.

The UK Parliament is launching an inquiry into the breach, and will likely look into making data encryption compulsory for firms holding customer data, the BBC reported.

Encryption wouldn’t have helped keep TalkTalk customers’ data safe though if the attackers prized it out with a SQL injection attack (something Harding may have been suggesting when she incorrectly said that TalkTalk was the victim of a “sequential attack“.)

TalkTalk and Harding initially suggested that the website was knocked out by a denial-of-service attack but have yet to explain how that was that connected to the data breach.

Harding also got ahead of herself when she told the BBC that she had received a ransom demand for the stolen data.

After these public relations blunders, TalkTalk has clammed up about how the attack happened, saying in its FAQ that the “attack is the subject of a criminal investigation by the police so we can’t make any further comment.”

Speaking of which, TalkTalk released a statement from a Detective Superintendent Jayne Snelgrove of the Metropolitan Police Cyber Crime Unit, who said:

TalkTalk have done everything right in bringing this matter to our attention as soon as possible. Our success relies on businesses being open with us and each other about the threats they encounter.

Meanwhile, TalkTalk has only just begun (as of 30 October 2015) contacting those customers whose data was accessed.

Countless companies have had similar troubles after a data breach, and getting it right is obviously not easy.

But TalkTalk seems to have done little right apart from getting law enforcement involved and offering an apology – and it has a lot of work to do to earn back customers’ trust if it wants to hang on to them.


Image of man screaming courtesy of Shutterstock.com.

5 Comments

latest bollocks from talktalk and i quote “Not all of the data was encrypted. Credit and debit card details were tokenised, which is a standard higher than encryption. We’re continuing to work with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future.” this is absolute nonsense.they must think their customer base are idiots.

And when customers want to leave them, they are still imposing large penalties for breaking the contracts!

Depending on the database set up used, if the data was encrypted in the recommended way, only an authorised user could have extracted data that had been unencrypted. The breach would therefore have been of minimal impact if the company had used encryption.

One of those authorised users is the website – if the data was exfiltrated by SQL injection then the website was fooled in to running some SQL on behalf of the attacker and the data was therefore exfiltrated by an authorised user.

Which is to say, yes, you are right but it probably wouldn’t have helped in this particular case.

TalkTalk have had obvious security problems for years (most of which revolve around call centre staff being paid off by gangs to leak data), and let’s face it, this was the 3rd intrusion in less than 12 months.

“Criminally negligent” would seem to be the appropriate words here.

As for charging exit fees and/or refusing to reimburse damages/dustress: They’re in breach of contract and they’ve admitted losing data. It’s all bluster and they have a habit of settling on the courtroom steps to avoid precedent-setting decisions against them.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?