1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News TalkTalk hit by massive security breach

Discussion in 'Article Discussion' started by Gareth Halfacree, 23 Oct 2015.

  1. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,897
    Likes Received:
    129
    *Insert quote about cowardly people prepared to give up everything in the name of false promises about security here*

    Nowhere is 'safe'; no-one can protect you from everything. Learn to let go peeps.
     
  2. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Best get rid of those lock on your doors, the seat belts in your car, and all those other things that make life safer, while you're correct in saying no-one can protect you from everything, that's not what anyone is suggesting, the idea is to make things safer, to reduce harm, to reduce risk.

    No door lock offers 100% security, seat belts don't promise 100% safety when you're involved in a crash, nothing can protect you from everything or always keep you safe, but that's not the idea of safety or security, the idea is to reduce the potential for undesirable outcomes.
     
  3. Teelzebub

    Teelzebub Up yours GOD,Whats best served cold

    Joined:
    27 Nov 2009
    Posts:
    15,796
    Likes Received:
    4,484
  4. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
  5. loftie

    loftie Multimodder

    Joined:
    14 Feb 2009
    Posts:
    3,173
    Likes Received:
    262
    How does money get taken with partial card numbers, bank account numbers and sort codes? :confused:
     
  6. Anfield

    Anfield Multimodder

    Joined:
    15 Jan 2010
    Posts:
    7,059
    Likes Received:
    970
    It doesn't, but combine it with Full name, address, d.o.b and all the info people carelessly spread around on social networks, top it off with some good old fashioned social engineering and suddenly the sky is the limit for fraud possibilities.
     
  7. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    This isn't me saying this but i found it interesting that the boss of TalkTalk Dido Harding disagrees with you..
    In another ElReg article they say "while many may have expressed disgust with Harding's off-colour remarks, it should be noted that current UK data regulations are pretty vague."

    I'm not disagreeing or disputing your interpretation of the legal responsibilities and requirements placed on firms like TalkTalk by the DPA, i just wanted to raise awareness that it seems Baroness Harding is playing the no legal requirement to encrypt stuff card. :miffed:

    I don't pretend to understand the legalities involved with acts of parliament, maybe like you said we just need better enforcement, maybe we need something more concrete that forces companies to encrypt personal data or at least make the legal responsibilities and requirements less vague.
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    No, she doesn't disagree with me. The Data Protection Act, as quoted, requires that "appropriate technical and organisational measures" are taken to safeguard user's data. The Act does not mandate encryption, and neither did I claim it did: the ICO guidelines include encryption as one of many "appropriate technical measures," but it's not required.

    That said, expect to see ICO fining TalkTalk in the future over this, 'cos unless they had other "appropriate technical measures" in place (which they clearly didn't, 'cos they wuz breached) then choosing not to use encryption just because the Act doesn't say "encryption" will be sorely frowned upon.
     
  9. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    We must have gotten our wires crossed then as when i said it would be nice to see some kind of law or something that says ALL personal details must be stored in an encrypted format and you replied by saying that would be the DPA i just assumed you meant the DPA mandated encryption of personal details.
     
  10. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,085
    Likes Received:
    6,635
    That's my fault - I was simply meaning that the law that deals with data protection is the Data Protection Act, not that it specifically mandated encryption (although it could be easily argued that encryption is an "appropriate technical measure" and therefore a requirement, even if encryption itself isn't mentioned in the Act.)
     
  11. ObsCure

    ObsCure What's a Dremel?

    Joined:
    26 Mar 2012
    Posts:
    33
    Likes Received:
    0
    Why I am finding out about this from BitTech? TalkTalk has my email address, goes straight to my phone. They never fail to send my bill for the month. But a quick courtesy email mentioning that my bank details could be out there.. What a bunch @*$%+. Probably too busy making new adds for the website to make it even slower then it already is.
     
  12. Cerberus90

    Cerberus90 Car Spannerer

    Joined:
    23 Apr 2009
    Posts:
    7,666
    Likes Received:
    208
    So a 15 year old from Northern Ireland has been arrested as part of the investigation. If that doesn't prove that TalkTalk's security is woefully inadequate then I don't know what will, :D
     
  13. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    I was a bit surprised at first that it was a 15 year old, after the initial surprise wore off i guessed at it being a fairly easy thing to do, depending on the type of online world someone frequents.

    It seems more a case of a 15 year olds hubris mixed with commonly available knowledge.
     
  14. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    Even if he was just a script kiddie, the breach still requires some level of interest and determination. A shame those attributes weren't discovered and focused more productively.

    Regardless, if found guilty, he deserves whatever is coming to him.
     
  15. thom804

    thom804 Minimodder

    Joined:
    22 Oct 2009
    Posts:
    714
    Likes Received:
    6
    Which will probably be about 2 months in a young offenders institute and a slap on the wrist.
     
    Last edited: 27 Oct 2015
  16. notmeagain

    notmeagain Minimodder

    Joined:
    29 Jan 2009
    Posts:
    561
    Likes Received:
    15
    Likely scenario:

    >> Haxor scripto-kid 2015, mingle in hax forums, got known, got big headed.
    >> Bragging n ****.
    >> Can hack anything
    >> OnlineMafia appears "Hey kid, can hax this? talktalkbb.com"
    >> offered some elite pokemon ****. take it. damn sweet.
    >> Never heard of talktalkbb.com before, but looks easy, sure do it.
    >> Told OnlineMafia that it's done, FTP all the database, that was easy.
    >> Knocking on door, "LOL mate, is police, on floor or kill"
    >> mfw.


    It's very unlikely this underdeveloped yet bright lad had the mental fortitude/maturity to single handedly orchestrate the operation and abscond with the data.
    It was designed to purposefully damage TTbb, or to enable vast identity fraud.
    This is not something in the scope of a 15 year olds mind set. Back then for me it was all about tagging the index, or dropping a text doc as a marker, nothing more.

    This shouldn't be and hopefuly isn't the closure of the case.
     
  17. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,897
    Likes Received:
    129
    I've had 2 emails about it from TT.
     
  18. thom804

    thom804 Minimodder

    Joined:
    22 Oct 2009
    Posts:
    714
    Likes Received:
    6
    You'd be surprised at how large companies, even with automated systems, screw up.

    Example: Ordered my new router for a handling fee from Virgin media so I could receive the 'free' broadband upgrade to 152meg. Got the email that they had confirmed the booking, and was told I would receive another to confirm delivery of the router. Nothing received before the delivery day, so I got in contact on Virgin's livechat thing. Turns out they had completely lost the order, Christ knows how.

    Long story short, these companies do lose the ability to communicate, even automatically, from time to time.
     
  19. ObsCure

    ObsCure What's a Dremel?

    Joined:
    26 Mar 2012
    Posts:
    33
    Likes Received:
    0
    I got my bill for the month. Nothing about stollen data.
     
  20. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,897
    Likes Received:
    129
    Man, I would be such a fat ******* if I was getting emails about about stollen data, I just can't resist stollen, ****ing love the stuff.

    [​IMG]
     

Share This Page