1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News TalkTalk hit by massive security breach

Discussion in 'Article Discussion' started by Gareth Halfacree, 23 Oct 2015.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,002
    Likes Received:
    2,127
  2. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,444
    Likes Received:
    338
    It does instil much confidence that they stored customers details in an encrypted form when they say their "offering a year's free credit monitoring whilst also asking banks to keep an eye out for fraudulent account activity"

    Or is that a standard thing these companies do now?
     
  3. Bungletron

    Bungletron Well-Known Member

    Joined:
    25 May 2010
    Posts:
    1,169
    Likes Received:
    62
    Or 'Derek', as he is more commonly known at New Scotland Yard.
     
  4. Bungletron

    Bungletron Well-Known Member

    Joined:
    25 May 2010
    Posts:
    1,169
    Likes Received:
    62
    Some of it was not encrypted, they say so in their little faq under the press release. In this particular case potentially scam merchants have enough hack points here to go ahead and start taking out loans no further info needed: name, address, dob, bank details even a bloody utility bill. It sucks, they know it sucks, people need to understand it sucks bad enough to check start regularly checking credit scores to make sure they are not being id thieved, what a horror show.
     
  5. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,444
    Likes Received:
    338
    I guess we can only hope that the "some" includes the CC & Bank details, not that any of the other details aren't just as worrisome it's just they're maybe not as easily exploitable.

    It would be nice to see some kind of law or something that says ALL personal details must be stored in an encrypted format.
     
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,002
    Likes Received:
    2,127
    That would be the Data Protection Act, which has as Principle 7:
    The ICO, which is in charge of enforcing this stuff, takes the 'technical measures' to include encryption. Now, if it were actively enforced...

    It also states that companies should adhere to ISO 27001, but reading that will cost you £100. No, really. (Yes, you can find PDF copies with a quick Google search, but that's naughty-naughty copyright infringement.)
     
  7. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,895
    Likes Received:
    128
    I don't tend to use credit much, and any money taken will get returned to me, so they're welcome to start flogging my ID for whatever they can get. Good luck to them.
     
  8. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,444
    Likes Received:
    338
    Principle 7 is the kind of thing i mean, not having looked into how it's enforced or its implementation i could be mistaken, but when i said a law or something i meant in the same kind of way that we, as a country treat *food safety or health and safety at work.

    The way things seem to work currently with personally data is that any Jo Blogs could setup a business that involves collecting and storing data without any checks.

    *not saying that's perfect or that there are no dodgy takeaways or companies that flout H&S rules.
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,002
    Likes Received:
    2,127
    When you say "law," what you're actually referring to is "Act of Parliament." Health and safety at work is covered by The Health and Safety at Work etc Act 1974; food safety is covered by The Food Safety Act 1990; and data protection is covered by The Data Protection Act 1998. In other words: legally, we already treat data protection exactly the same as food safety or health and safety at work - we have Acts of Parliament surrounding them.

    An Act of Parliament creates a new law or changes an existing law. It starts off life as a Bill (so, there was a Food Safety Bill) which is (supposedly) debated and then approved or rejected by both the House of Commons and the House of Lords. Once approved, the Bill becomes an Act - and is law.

    There is no difference in terms of legality between the Data Protection Act and the Food Safety Act; they're both Acts of Parliament which outline legal responsibilities and requirements, making certain things illegal under UK law (such as serving e-coli-infested ratburgers, or selling your customer database to the Chinese).

    TL;DR: The thing for which you're asking is already a thing. What you want is greater enforcement of the thing.
     
  10. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,895
    Likes Received:
    128
    Breaking news - there is actually quite a lot of data out there nowadays. Effective enforcement is unrealistic other than punishing those that are caught out publicly like this and hoping that over time things improve, but I don't see it happening any time soon.
     
  11. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,444
    Likes Received:
    338
    Yea that then. :)
    Maybe we need a TV program called the Data inspectors or something to raise awareness, i would say better funding but we all know there's not the money for that sort of thing. :worried:

    The same could be said of food and work places but we manage to effectively enforce those, why should data be any different.
     
  12. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,895
    Likes Received:
    128
    I don't think they're comparable examples. How could anyone be reasonably expected to keep track of who stores what data? The web is too big and too intangible. And work places have a more direct incentive to keep its employees safe, as do catering premises have a direct incentive to not cause their customers to get ill.

    You could be a site storing personal data for 10 years with 'adequate' encryption and get away with it, then suddenly get an unexpected attack that is now capable of beating your protection. And restaurants and workplaces aren't generally targetted by outsiders trying to sabotage things, certainly not on the same scale as cyber crime if you believe an ounce of the media on it.

    And besides, are you suggesting there are never any incidents of employee injuries/fatalities at work or food poisoning in restaurants? How do you define 'effective enforcement'?
     
    Last edited: 23 Oct 2015
  13. jewelie

    jewelie Ancient geek, newbie to BT

    Joined:
    3 Jun 2015
    Posts:
    50
    Likes Received:
    4
    Looks like the hackers' friends have been posting example excerpts to pastbin, so if it's genuine (and it looks like it is) we already have a guide of a minimum of how much information has been breached-

    http://pastebin.com/JxqVQLqJ
    http://pastebin.com/HHT4BxJA
    http://pastebin.com/QH0Y1UnL
    http://pastebin.com/KGsK61wr

    Fortunately, they've redacted the bank account numbers in these examples.

    So, so far it seems that they've got-

    Name, Address, D.O.B., Telephone Number, E-Mail Address, Bank Name, Bank Account Number, Bank Account Sort Code, TalkTalk Account Details (including password), and very probably much more.

    If this is genuine and it's plain-text then that suggests extreme negligence and I really hope the ICO bites down on them hard; otherwise, there's new legislation for class action lawsuits in the UK.

    If the hack was complete, I wonder if they got at the logs of all websites etc people have visited as well, which was always going to be a risk with DRIPA legislated data recording. :( If so, potentially many opportunities for blackmailing, sadly.

    :(
     
  14. Thaifood

    Thaifood Member

    Joined:
    24 Apr 2009
    Posts:
    773
    Likes Received:
    15
    this could cause a problem.. in the process of changing the name/owner of accounts as i am taking over my friends (as they have left to go travelling).. changed the dd to mine already, but the name of the account hasnt changed yet.. fingers cross
     
  15. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,444
    Likes Received:
    338
    It's easy to keep track of who stores the data, it's the people asking for it in the first place, why should personal data on the Internet be any different than the personal data you provide to your gas/electric supplier, or any other organisation?

    The incentive, if you really need one, is what its always been, money.

    You seem to be conflating restaurants and workplaces and the need to store data in a safe fashion, last time i checked my local kebab shop doesn't store customers details on an open network, even in someones workplace it would be very unlikely that they would store personal details of their employes on an open network, and if they did i would question the need for storing names, addresses, dates of birth, email addresses, telephone numbers in such a manner.

    I would also question why a company is storing personal details on an open network for 10 years without ever reassessing their initial 'adequate' encryption, if it needs to be on an open network a security audit should be carried out regularly should it not?

    No, I said in the note of post #8 "not saying that's perfect or that there are no dodgy takeaways or companies that flout H&S rules.

    It's about enforcing rules that promote best practices, it's about reducing the possibility of harm, it's about ensuring your more likely to go home at the end of the day, less likely to get food poisoning, and that your personal details are less likely to be accessed when the inevitable data breach happens.
     
  16. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,169
    Likes Received:
    146
    If the criminals used known vulnerabilities or the systems were not secured properly then these companies who think its OK to have poor security should be fined heavily. If they don't declare they have a breach they should be fined within an inch of their ability to operate.

    Executives only understand money and authorities need to talk a language they understand, because clearly its not IT.

     
    Last edited: 23 Oct 2015
  17. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,895
    Likes Received:
    128
    I should imagine you're making a pretty penny then, advising all the big companies how easy it is.
     
  18. Cerberus90

    Cerberus90 Car Spannerer

    Joined:
    23 Apr 2009
    Posts:
    7,533
    Likes Received:
    136
    Didn't I read something the other day about some change to some law that meant class action lawsuits could now be filed in the UK? Someone should sort that out on behalf of all TalkTalk customers, maybe then they'd pull they're finger out and secure their security.
     
  19. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,444
    Likes Received:
    338
    Probably not as much as you with your ohh it's to difficult so lets not bother approach, after all big companies don't like being told they have to divert some of their profits into silly things like safety and protecting people. :rolleyes:
     
  20. forum_user

    forum_user forum_title

    Joined:
    4 Jan 2012
    Posts:
    511
    Likes Received:
    3
    To think all the fantastic brains on this planet can't come up with a watertight and safe internet is both depressing and a lie.
     

Share This Page