back to article TalkTalk CEO admits security fail, says hacker emailed ransom demand

Dido Harding, the chief executive of TalkTalk, has confessed her company should have done more to protect its customers' personal information, and has confirmed a seemingly related blackmail attempt. Harding told BBC News that she had personally received an email which included a ransom demand from "an individual or a group, …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Aren't talk talk the lot that desperately wanted everyone to sign their porn register, I mean opt out of the net nanny scheme?

    1. RISC OS

      I'm pretty sure her colleagues call her...

      ...dildo hardon

      1. TheVogon

        Re: I'm pretty sure her colleagues call her...

        "...dildo hardon"

        dildo hardin surely?

        At least when she answered the questions for TV she was brave and sensible enough to admit that she didn't really have a clue what was taken and if it was encrypted.

  2. Vimes

    Didn't they sign an undertaking with the ICO a number of years ago as a result of similar issues? And that undertaking is still in effect?

    I wonder if the ICO will actually take meaningful action against them this time?

    1. Danny 14

      which also leads onto an interesting question, what about people who have previously been talktalk customers? Are their details (and CC/bank accounts) still held on the system?

      Whilst they might contact current customers, will they be contacting previous ones too?

      That's a nice 4 million mailshot earner for the franking machine.

      1. Allan 1

        It's my understanding that they are legally required to retain ex-customer details for a number of years after that customer leaves, in case the authorities need to investigate fraud / crime.

        1. yoganmahew

          @Allan 1

          They hardly need to do this on an internet facing system, though? Or have people forgotten that it is possible to not have every system accessible from everywhere?

        2. Duffaboy
          Facepalm

          Regardless to say

          That been true then why is it so easily accessible from the outside world.

      2. Chris King

        If they have retained customer details from the operations they have taken over, it's not just ex-TalkTalk customers in the firing line. What about former customers of...

        AOL (UK)

        Tiscali

        Pipex

        Nildram

        Tesco Broadband

        Virgin Media (ADSL)

        OneTel

        ...and possibly others I've forgotten about ?

        I will be SERIOUSLY miffed if I'm caught in the crossfire of this Charlie Foxtrot - I was a Nildram customer but escaped to AAISP nearly ten years ago, and had a OneTel dialup account before that. How long have they held on to ex-customer data, I wonder ?

        1. Doctor Syntax Silver badge

          @Chris King

          Like you I've been through the Nildram>Pipex>Tiscali route but I jumped ship nearly 6 years ago. A good deal of what they had will be stale by now, certainly I've changed bank since then. I doubt either of us would fall for a call claiming to be from their customer disservices - they never did anything after the Tiscali takeover so why expect them to be getting round to it now?

          In fact, after the Tiscali takeover their email support would have passed the Turing test - there was no way to tell whether it was human or a bot - but not in a good way.

      3. John Brown (no body) Silver badge
        Windows

        "who have previously been talktalk customers?"

        ...not to mention ex customers of ISPs which have been taken over by Talk Talk. I wonder how many people that might affect and if they have even a vague inkling that their bank account details might have been compromised?

        EDIT: I now see this topic has already been mentioned (and down voted? WTF?????)

  3. Anonymous Coward
    1. hatti

      Re: Dido Harding...

      I doubt she's dumb, just her office is where you will find the end of the buck if you follow it.

      Horrible week at work.

      1. Anonymous Coward
        Anonymous Coward

        Re: Dido Harding...

        "You got bucked!"

    2. Anonymous Coward
      Anonymous Coward

      Re: Dido Harding...

      There's no white flag above her door...

    3. Kubla Cant

      Re: Dido Harding...

      Remember me, forget my fate!

      1. Arctic fox
        Thumb Up

        Re: Dido Harding...

        Well done gentlemen - there is perhaps something to be said for some form of classical education!

        "When I am laid, am laid in earth, May my wrongs create

        No trouble, no trouble in thy breast;

        Remember me, remember me, but ah! forget my fate.

        Remember me, but ah! forget my fate."

    4. Uberseehandel

      Re: Dido Harding...

      bad taste, cheap clothes, posh name.

      what is wrong with this picture?

      sell the Talk talk customer base, sell the company, fire the D1D0

  4. Grubby

    SLA

    With an SLA like TalkTalks' the hacker will be lucky if she responds to the email this year.

    1. Fred Flintstone Gold badge

      Re: SLA

      With an SLA like TalkTalks' the hacker will be lucky if she responds to the email this year.

      I'm amazed that this blackmail email even got to her in the first place. :-)

      1. Vimes

        Re: SLA

        https://twitter.com/haveigotnews/status/657499167535800320

        1. Captain DaFt

          Re: SLA

          "https://twitter.com/haveigotnews/status/657499167535800320"

          Oh damn, that is priceless! I nearly choked laughing!

      2. Your alien overlord - fear me

        Re: SLA

        Probably her AOL account.

  5. future research

    Radio 4

    The interview on Radio 4 this morning the person claimed it was too early to say if important customer data was encrypted ( and there was millions of records, as if that was a reason).

    I therefore take the answer to be no, it was not encrypted.

    1. This post has been deleted by its author

      1. Vimes

        Re: Radio 4

        Why bother with that when ROT13 does the job?

        (nobody said it had to be *good* encryption...)

    2. Kubla Cant

      Re: Radio 4

      The interview on Radio 4 this morning the person claimed it was too early to say if important customer data was encrypted ( and there was millions of records, as if that was a reason).

      Record 1: not encrypted, record 2: not encrypted either, record 3: still not encrypted, record 4...

      You can see how this may take some time.

      1. allthecoolshortnamesweretaken

        Re: Radio 4

        Same methodology as this then

        http://dilbert.com/strip/1996-09-18

    3. MrWibble
      Facepalm

      Re: Radio 4

      Ars says "no"

      "Moreover, TalkTalk has confirmed to Ars that some of its customer data was stored in plaintext, i.e. not encrypted. The spokesperson admitted this was "not ideal,"

      http://arstechnica.co.uk/tech-policy/2015/10/talktalk-hit-by-significant-cyberattack-millions-of-customer-records-compromised/

      1. Dan 55 Silver badge
        Flame

        Re: Radio 4

        Ars also noticed that a) the AOL story saying this was Talk Talk's third hack this year was disappeared and b) Talk Talk owns AOL in the UK. That's the kind of company you want in charge of your personal data.

    4. Anonymous Coward
      Anonymous Coward

      Re: Radio 4

      SQL injection can bypass encrypted data. Though there's some data (e.g. passwords) that should be encrypted in a form that even the company itself can't access. And it wasn't because the passwords are out there in pastebin for all to see.

      I wish that I had never signed up with TalkTalk. I pay for everything via credit card normally. That affords me some protection. But with my TalkTalk business account they refused to accept credit card. They said I could change the payment information over to credit card later on but that they could not (read: would not) set up an account without bank details. And instead of backing at that point and going through the entire selection and sign-up process again with a different provider, I let them have the bank details so they could have a direct debit. So now my name, bank details and a password (only used for TalkTalk) are out there because of these people.

      1. Anonymous Coward
        Anonymous Coward

        Re: Radio 4

        So, how is that important? They have the same details you give when you write a cheque for something to be delivered to your home address. And, like any sane person, you don't use the same password for your banking.

        1. Terry 14

          Re: Radio 4

          But they don't have your date of birth, the hackers have more than enough details for identity fraud.

        2. Cameron Colley

          Re: Radio 4

          @Anonymous Coward: "So, how is that important? They have the same details you give when you write a cheque for something to be delivered to your home address. And, like any sane person, you don't use the same password for your banking."

          You sound just like Jeremy Clarkson. Perhaps look into how well it went for him when he made his baking details public?

    5. hatti

      Re: Radio 4

      It can only take at max 3 seconds to check if data is encrypted.

      1. Look at first row of data your eyes lock onto.

      2. See familiar looking letters and numbers = not encrypted

      3. See weird looking squiggles and odd symbols = encrypted

  6. mark 120

    Lol. Selling data on the dark web isn't as profitable as it used to be? That's only if you look at it on a price per unit basis, because the market is flooded with details stolen from companies like TT. Overall it's still very profitable.

    Is it just me who thinks she needs a PR person telling her to shut up right now?

    1. MyffyW Silver badge

      Selling data isn't profitable?

      Wishful thinking, frankly.

  7. Flakey

    Whats the betting

    TT's cancellation department is in meltdown right now.

    1. Geoff May

      Re: Whats the betting

      Excepting that will not help them because, the only real way of getting security would be to change banks, move house, change your name and try and get your date of birth amended. I wonder if TalkTalk customers can move to a different calendar to avoid future trouble ...

      1. Danny 14

        Re: Whats the betting

        it will help when they fuck up again though. Assuming you trust they take your details off their system.

    2. Kwales66

      Re: Whats the betting

      If you can get through to it - Almost impossible at best of times. I would just suggest ringing the new subscriber number and getting through to cancel that way. Has worked for me in the past ( not just for TalkTalk )

  8. Anonymous Coward
    Anonymous Coward

    relax

    Gubbmint keep telling us they have invested billions in cyberstuff to protect/spy on us

    Forget police dealing with burglary,muggings etc cos they are all back in the station trying to figure out how to get back to that screen they had a minute ago sarge.

    Meanwhile private companies have took this as a sign they can go to sleep and just let then boys in the big doughnut nerve centre advise them after the fact.

    1. Lysenko

      Re: relax

      <sarc> Strange she didn't mention her company commitment to increasing the salaries, staffing levels and overall budget of the IT security section every year. </sarc>

  9. Richard Tobin

    Ransom demand

    Can they really have only received one ransom demand?

    1. seanj

      Re: Ransom demand

      Well, if as she says, she is a Talk Talk user too, then the rest are probably still lost in the intertubes somewhere and should arrive tomorrow sometime.

    2. Doctor Syntax Silver badge

      Re: Ransom demand

      "Can they really have only received one ransom demand?"

      No, but only one's genuine. They're trying to work out which it is.

  10. Peter Kavanagh.

    Ongoing, definitely not new

    Someone in earlier article comments mentioned they knew of instances of attempted phishing calls, where the scammers had worryingly detailed knowledge of the target's TalkTalk account information.

    On a phone-in to LBC on Monday someone called in with a very similar story of a call - "we understand you've had problems with our broadband service" (customer had indeed experienced this) ", so we would like to refund you some money, just need to check the payment details...".

    Either inside information or clear confirmation that account details have been compromised in earlier attacks.

    1. Old Tom

      Re: Ongoing, definitely not new

      I had a long call from 'TalkTalk' last week, sounded like India. They knew my name and number, address and TalkTalk account number, and were trying to persuade me to let them fix the errors on my broadband. I assumed it all came from the February breach.

  11. Grubby

    Ransom Note

    The hacker decided to blackmail Talk Talk after realizing that the combined value of TalkTalk customers' available credit was a fiver. They've offered to give it back in exchange for a 6 month Sky Sports Boost.

  12. seanj

    Unlikely to be the real culprit.

    If Talk Talk received the email today, it was probably a ransom demand for the previous breach...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like