News TalkTalk hit by massive security breach

It does instil much confidence that they stored customers details in an encrypted form when they say their "offering a year's free credit monitoring whilst also asking banks to keep an eye out for fraudulent account activity"

Or is that a standard thing these companies do now?

 

Or 'Derek', as he is more commonly known at New Scotland Yard.

 

Some of it was not encrypted, they say so in their little faq under the press release. In this particular case potentially scam merchants have enough hack points here to go ahead and start taking out loans no further info needed: name, address, dob, bank details even a bloody utility bill. It sucks, they know it sucks, people need to understand it sucks bad enough to check start regularly checking credit scores to make sure they are not being id thieved, what a horror show.

 

I guess we can only hope that the "some" includes the CC & Bank details, not that any of the other details aren't just as worrisome it's just they're maybe not as easily exploitable.

It would be nice to see some kind of law or something that says ALL personal details must be stored in an encrypted format.

 

I don't tend to use credit much, and any money taken will get returned to me, so they're welcome to start flogging my ID for whatever they can get. Good luck to them.

 

Principle 7 is the kind of thing i mean, not having looked into how it's enforced or its implementation i could be mistaken, but when i said a law or something i meant in the same kind of way that we, as a country treat *food safety or health and safety at work.

The way things seem to work currently with personally data is that any Jo Blogs could setup a business that involves collecting and storing data without any checks.

*not saying that's perfect or that there are no dodgy takeaways or companies that flout H&S rules.

 

Breaking news - there is actually quite a lot of data out there nowadays. Effective enforcement is unrealistic other than punishing those that are caught out publicly like this and hoping that over time things improve, but I don't see it happening any time soon.

 

Yea that then.
Maybe we need a TV program called the Data inspectors or something to raise awareness, i would say better funding but we all know there's not the money for that sort of thing.

The same could be said of food and work places but we manage to effectively enforce those, why should data be any different.

 

I don't think they're comparable examples. How could anyone be reasonably expected to keep track of who stores what data? The web is too big and too intangible. And work places have a more direct incentive to keep its employees safe, as do catering premises have a direct incentive to not cause their customers to get ill.

You could be a site storing personal data for 10 years with 'adequate' encryption and get away with it, then suddenly get an unexpected attack that is now capable of beating your protection. And restaurants and workplaces aren't generally targetted by outsiders trying to sabotage things, certainly not on the same scale as cyber crime if you believe an ounce of the media on it.

And besides, are you suggesting there are never any incidents of employee injuries/fatalities at work or food poisoning in restaurants? How do you define 'effective enforcement'?

 

Looks like the hackers' friends have been posting example excerpts to pastbin, so if it's genuine (and it looks like it is) we already have a guide of a minimum of how much information has been breached-

http://pastebin.com/JxqVQLqJ
http://pastebin.com/HHT4BxJA
http://pastebin.com/QH0Y1UnL
http://pastebin.com/KGsK61wr

Fortunately, they've redacted the bank account numbers in these examples.

So, so far it seems that they've got-

Name, Address, D.O.B., Telephone Number, E-Mail Address, Bank Name, Bank Account Number, Bank Account Sort Code, TalkTalk Account Details (including password), and very probably much more.

If this is genuine and it's plain-text then that suggests extreme negligence and I really hope the ICO bites down on them hard; otherwise, there's new legislation for class action lawsuits in the UK.

If the hack was complete, I wonder if they got at the logs of all websites etc people have visited as well, which was always going to be a risk with DRIPA legislated data recording. If so, potentially many opportunities for blackmailing, sadly.

 

this could cause a problem.. in the process of changing the name/owner of accounts as i am taking over my friends (as they have left to go travelling).. changed the dd to mine already, but the name of the account hasnt changed yet.. fingers cross

 

It's easy to keep track of who stores the data, it's the people asking for it in the first place, why should personal data on the Internet be any different than the personal data you provide to your gas/electric supplier, or any other organisation?

The incentive, if you really need one, is what its always been, money.

You seem to be conflating restaurants and workplaces and the need to store data in a safe fashion, last time i checked my local kebab shop doesn't store customers details on an open network, even in someones workplace it would be very unlikely that they would store personal details of their employes on an open network, and if they did i would question the need for storing names, addresses, dates of birth, email addresses, telephone numbers in such a manner.

I would also question why a company is storing personal details on an open network for 10 years without ever reassessing their initial 'adequate' encryption, if it needs to be on an open network a security audit should be carried out regularly should it not?

No, I said in the note of post #8 "not saying that's perfect or that there are no dodgy takeaways or companies that flout H&S rules.

It's about enforcing rules that promote best practices, it's about reducing the possibility of harm, it's about ensuring your more likely to go home at the end of the day, less likely to get food poisoning, and that your personal details are less likely to be accessed when the inevitable data breach happens.

 

If the criminals used known vulnerabilities or the systems were not secured properly then these companies who think its OK to have poor security should be fined heavily. If they don't declare they have a breach they should be fined within an inch of their ability to operate.

Executives only understand money and authorities need to talk a language they understand, because clearly its not IT.

 

I should imagine you're making a pretty penny then, advising all the big companies how easy it is.

 

Didn't I read something the other day about some change to some law that meant class action lawsuits could now be filed in the UK? Someone should sort that out on behalf of all TalkTalk customers, maybe then they'd pull they're finger out and secure their security.

 

Probably not as much as you with your ohh it's to difficult so lets not bother approach, after all big companies don't like being told they have to divert some of their profits into silly things like safety and protecting people.

 

To think all the fantastic brains on this planet can't come up with a watertight and safe internet is both depressing and a lie.