back to article TalkTalk: Hackers may have nicked personal, banking info on 4 million Brits

TalkTalk is in the process of telling its four million subscribers that it has fallen victim to a “sustained cyberattack” – and it is possible that personal information including bank details have been pilfered. The UK ISP took down its website yesterday, telling us this was not related to a broadband outage, and the site …

Page:

  1. AJ MacLeod

    I bet this has been going on far longer than just yesterday. I know I've had TalkTalk customers tell me in the past week or two they've been phoned by the "windows support" type scammers claiming to be from TalkTalk and able to provide all kinds of (correct) account information when challenged.

    I wonder if this has also affected TalkTalk Business?

    1. Chris Miller

      The TalkTalkBusiness.co.uk site is working normally, FWIW.

      1. Starace

        As far as I can tell everyone got pushed into the same billing system including 'legacy' business customers, so that website is really just an advertising portal.

        1. Chris Miller

          No, the billing systems for TalkTalk and TalkTalkBusiness accounts remain quite separate (I have both). Some (mainly SOHO) business accounts did indeed get transferred to standard TalkTalk operations, as you describe.

          1. Anonymous Coward
            Anonymous Coward

            As part of Project Cola, one man band businesses were transferred from TT Business to TT Residential.

            1. vagabondo

              transferred from TT Business to TT Residential

              This seemed to happen quite randomly about two years ago. We had one direct debit payment account transferred, but not three others.

              If you call TalkTalk Business they will transfer you back, but is similar to transferring from another unrelated supplier and you may have to set up the payment system again. You have to wait about two weeks and fend off the "please don't leave, would you like a discount" call from TT Residential. You will lose any fixed IP addresses (but if you have a technical problem then they get be converted to dynamic anyway -- that's how we discovered we had been transferred).

    2. psychonaut

      going on since tuesday at least. website was down on tuesday, their pop/imap "email" has not been working correclty either (i have customers who use that shit unfortunately)

      oh, and one of my customers said that shortly after contacting (genuine) talk talk on 2 occasions recently she got a call back soon after from scammers pretending to be from talk talk.

      on the other hand, not sure how you differentiate scammers from talk talk they both seem to do the same thing.

      1. psychonaut

        just read on the bbc that in february, lots of customer data was taken, including phone numbers...which lends the truth to the scammers phoning people up pretending to be talk talk with their account details.

        1. Salts

          BBC reports this is the third attack in 12 months, good to see a company learning by it's mistakes.

          1. Chris Miller

            You can't do much about being attacked (especially DDoS) - some of my clients get 'attacked' several times a month - it's how strong your defences are that's relevant.

            1. Salts

              @Chris Miller

              Sorry, let me clarify "third successful attack in 12 months", weak defences me thinks :-)

            2. AlbertH
              Mushroom

              It's NOT the DDoS that's caused the problem - it's the SQL injections that allow the data theft. TT are stupid in that it wasn't encrypted and you can be sure that their OSs and software are several patches behind the curve!

      2. Anthony Hegedus Silver badge

        When you say their pop/iap has not been working correctly, I take it you mean it suddenly starts delivering mail within a minute of it being received, or some such weirdness?

        Talktalk certainly scammed us when we re-sold their business broadband.... nothing wrong with the broadband itself but their billing systems were so crap as to defy belief.

        1. psychonaut

          not working correctly....just plain not working for hours, weird issue where one customer got about 400 folders created called "inbox 1", "inbox 11", "inbox 111" etc

    3. Anonymous Coward
      Anonymous Coward

      Oh dear.

      Fucktards on the starboard bow, Scotty beam me up.

    4. j0nn13

      I know someone this has happened to as well at the start of the week. After she got suspicious and I had a look into it, suggested she speak to the police who told her that hundreds of people were reporting the same thing.

  2. Anonymous Coward
    Anonymous Coward

    What about ex-customers?

    I stopped being a customer of TalkTalk in August of last year. I wonder if

    a) they still have my details on file

    and

    b) whether, as I'm an ex-customer, they'll bother to contact me to tell me if they've been stolen.

    1. allthecoolshortnamesweretaken

      Re: What about ex-customers?

      My guess would be

      a) yes

      b) no

      1. cantankerous swineherd

        Re: What about ex-customers?

        I'm guessing you're right on the money.

      2. Star

        Re: What about ex-customers?

        Yup, the only customers Talk Talk care about is potential customers.

        The only reason they're trying to be seen as doing something for existing customers - far too late by the sound of it - is because they couldn't hide it from those potential customers anymore.

        They certainly couldn't give a toss about ex-customers.

    2. Anonymous Coward
      Anonymous Coward

      Re: What about ex-customers?

      a) Yes, they certainly (used to at least) keep accounts for all ex-customers. As I recall you would just be an account holder with no active products.

      b) Given the talk of "4 million" customers, I suspect they won't be contacting ex-customers.

      Perhaps El Reg can seek clarification on behalf of the millions of former customers?

      1. Anonymous Coward
        Anonymous Coward

        Re: What about ex-customers?

        I highly doubt they have deleted the data of ex-customers. I am a customer of TalkTalk business (and am posting anonymously because of this which I normally never do). They clearly have my password stored in a retrievable format because when I have called them they have asked me to say it and then they obviously compare it to what they see on screen. (They do not ask for the Nth letter or any of that, for what it's worth). Furthermore when I haven't been able to remember the password exactly (it has a number sequence on the end), they have said "close enough" and proceeded to deal with my enquiry. Note, this is their customer support password asked for when making tech support or billing enquiries. I've no idea if it is also the password to log into my online account with them as I never use that, but I would be unsurprised if it were.

        I'll be checking my Inbox shortly to see if they have communicated with me about this, but I'm not impressed that I'm learning about this on El Reg instead of from them (there was nothing from them there last night).

        1. h4rm0ny

          Re: What about ex-customers?

          I highly doubt sympathy will go down well right now and I'm not exactly going to let them off the hook, but I did just watch the BBC interview with Dido Harding from TalkTalk and to be fair, she came across extremely well given the circumstances. Interview.

          1. Tim Jenkins

            Re: What about ex-customers?

            " she came across extremely well given the circumstances"

            Rather less well just now on 'Today', where her reason for not being able to tell customers if any potentially exfiltrated personal datasets are encrypted was that 'TalkTalk systems have millions of lines of code'...

          2. chris 17 Silver badge

            Re: What about ex-customers?

            her media training was definitely put to the test by Charlie from BBC breakfast this morning. I felt a little sorry for her as a person.

            Assuming the customer details and card numbers where unencrypted hence hackers able to take them, why did they not have systems in place to safeguard that data? Rely PCI/DSS rules should mean that data is not retrievable in an unencrypted form? if encrypted, the keys should be on separate access controlled systems. If they went to those lengths and hackers stole the encrypted data and all the keys, why was their not a system in place to notice the leak of their most precious data?

            Lots of questions to answer here especially as they got hacked earlier this year and should have been prepared.

          3. jonmorris

            Re: What about ex-customers?

            She'll have been no doubt briefed on how to act, and to play the open and honest, nothing to hide, hey I;m a victim too line. I think it's good she's spoken to the media (this time) but I think she's misjudged the anger - and saying she's a victim too won't get her or the company any sympathy when it's the THIRD time it's happened (at least).

          4. michaelkeay

            Re: What about ex-customers?

            She didn't come across well to me. Crying "Crime of the times" nonsense and "its not just us".

    3. jonmorris

      Re: What about ex-customers?

      Yes they will - people got the scam 'PC hack' calls even when they'd left ages ago.

      And even current customers, like me, aren't getting contacted.

      As it's the third time, I have NO sympathy at all now. And Dido Harding saying she's a TT customer and has been a victim too just makes me even more angry. I mean, if she had something to lose then shouldn't she have been making sure the defences were rock solid. Or robust? That's a word she's been using, which is laughable.

      I mean, what's left to protect now?

      1. Anonymous Coward
        Anonymous Coward

        Re: What about ex-customers?

        And Dido Harding saying she's a TT customer and has been a victim too just makes me even more angry. I mean, if she had something to lose then shouldn't she have been making sure the defences were rock solid.

        Well don't forget that most of the customers are proles, who's only contact with their bank is via a low powered call centre worker, or a teller at the counter. With Ms Harding's multi-million pound package, she'll be with somebody like Coutts, and whoever the bank is, they'll have assigned a "personal wealth manager" to slobber over her and keep a beady eye on her account security. She doesn't have anything to lose.

    4. AlbertH
      Paris Hilton

      Re: What about ex-customers?

      You can be absolutely certain that your data has been stolen. TT are clueless about security

  3. Roger Greenwood

    Yet more reason . . .

    . . . to give false DOB etc. It's a matter of "when" not "if" where commercial entities are concerned.

    You can change your bank etc, but personal info more difficult.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet more reason . . .

      Then you fail on the credit check as they won't match your real details.

      1. Roger Greenwood

        Re: Yet more reason . . .

        "fail on the credit check" Fair point, but then maybe they weren't doing that either.

      2. vagabondo

        Re: Yet more reason . . .

        "Then you fail on the credit check"

        Why do you need credit from an ISP? I always use 01 01 1970 when asked for any date (or you could use anyone else's dob that you can remember) apart from to my bank.

  4. allthecoolshortnamesweretaken

    "The ISP admitted that “unfortunately” there is a “chance” that some customer data including subscribers' names, home addresses, dates of birth, phone numbers, email addresses, bank account info and credit card numbers have been accessed by hackers."

    Why, in my mind, does this translate into 'all of our customer's data has been compromised'?

    1. Doctor Syntax Silver badge

      "Why, in my mind, does this translate into 'all of our customer's data has been compromised'?"

      And why does all the stuff about constantly updating systems seem to be missing 'in the future'?

      1. teebie

        "Why, in my mind, does this translate into 'all of our customer's data has been compromised'?"

        Because you give TalkTalk too credit. It really means "we have no idea which of our customers' data has been compromised. It could well be all data for all customers, but we don't know, and never will"

    2. a_yank_lurker

      Corporate doublespeak which means we screwed up so badly that hackers downloaded our unencrypted customer database using SQL injection. In plainer English we are idiots with computers.

    3. Rusty 1

      If such information has been really been lost, the next annual PCI DSS compliance review will be a real doozy. Popcorn and peanuts at the ready!

      1. mark 120

        Their next annual review may well be beginning today, starting with a knock on the door from serious lookg audit types with forensic investigators in tow. If Talk Talk didn't tell their acquirer / Visa / Mastercard they'd been breached right away, then a very dim view will be taken.

    4. A Non e-mouse Silver badge

      Why, in my mind, does this [chance] translate into 'all of our customer's data has been compromised'?

      Because the press release was written by PR monkeys trained to downplay anything bad, but you're a hardened geek who can see through the PR B/S at fifty paces?

    5. Anonymous Coward
      Anonymous Coward

      At least they spared us the usual "we take the security of our customers seriously .... Etc"

      It won't stop until fines for all breaches where data was taken having not been properly secured are eye watering to the point of making shareholders really feel the pain.

      1. chris 17 Silver badge

        @AC

        "It won't stop until fines for all breaches where data was taken having not been properly secured are eye watering to the point of making shareholders really feel the pain."

        Define properly secured?

        is there some accreditation they need to meet before they can be fined? I'm fairly sure their accreditation boxes will be found to be ticked, including insurances to cover their costs in this kind of event. the insurance wont cover the cost to their reputation though which is what will truly heart them.

      2. Tiger Bay Cyber

        New EU Data Protection Regulation

        The draft EU Data protection regulation should sort that out €100M or 5% of global turnover fine for a serious breach (assuming this does not get watered down in the behind the scence horse-trading / lobbying).

      3. This post has been deleted by its author

    6. Frank Bough

      Re:

      ...because you are a realist with experience of dealing with PR bullshit?

    7. AlbertH
      Mushroom

      Why, in my mind, does this translate into 'all of our customer's data has been compromised'?

      Why do you think lots of lawyers are carefully examining TT's Contracts. They're going to be sued out of existence!

  5. Anonymous Coward
    Joke

    They can TalkTalk

    can they WalkWalk? Or will their customers do so?

    1. Anonymous Coward
      Anonymous Coward

      Re: They can TalkTalk

      or FOADFOAD?

    2. jonmorris

      Re: They can TalkTalk

      I'm off. I was quite forgiving the first time around, despite having the scam calls and feeling angry for those people who might fall victim to them (and TalkTalk not having told me or anyone else by email, or by post, to be on our guard).

      Now it has gone beyond that. I have a moral duty to boycott them, but admittedly I won't go until I seek out a good alternative. I'm not going to be further inconvenienced because of them. Rest assured though, in a month or two I won't be a customer of theirs.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like