TalkTalk Customer Data At Risk After Cyber-attack On Company Website (theguardian.com) 46
An anonymous reader writes: Police are investigating a "significant and sustained" cyber-attack on the website of TalkTalk, an internet and TV provider, which could have compromised customers' credit card and other personal details. The telecoms provider has 4 million customers in the UK. It is the second time in the past 12 months that TalkTalk customers have been affected by data breaches. "We are continuing to work with leading cybercrime specialists and the Metropolitan police to establish exactly what happened and the extent of any information accessed," the company said on Thursday night after revealing the attack, which took place on Wednesday.
Its chief executive, Dido Harding, said: "We take any threat to the security of our customers' data extremely seriously, and we are taking all the necessary steps to understand what has happened here." TalkTalk was informing its customers immediately about the attack as a precaution, she added.
Its chief executive, Dido Harding, said: "We take any threat to the security of our customers' data extremely seriously, and we are taking all the necessary steps to understand what has happened here." TalkTalk was informing its customers immediately about the attack as a precaution, she added.
Re: (Score:2)
how can we expect anything smaller than a state government to actually handle a concerted attack?
Even government struggle. Remember Russia addressed APT by reverting back to typewriters.
Accountabilty (Score:2)
Re: (Score:2)
Re: (Score:3)
Baroness Harding of Winscombe studied Philosophy, Politics and Economics at Oxford. I doubt she even knows what encryption is. She certainly doesn't know the difference between a DDOS attack and an SQL injection attack.
Re: (Score:2)
So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.
In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID
Re: (Score:2)
So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.
In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID
It's a lot easier and more convenient to set up a Direct Debit and have it paid each month without having to do anything, especially for things like TV/phone subscriptions which probably don't vary from month to month anyway.
I do not want to have to manually pay my gas, electricity, water, rent, mortgage, life assurance, medical insurance, car insurance, house insurance, pet insurance, gym subs, golf club membership, student loan repayment, charity donations, child support, TV, mobile phone, broadband, c
Hack used SQL injection .. (Score:2)
Re:Hack used SQL injection .. (Score:4, Insightful)
Fucking aye, have these people never heard of sanitizing data, or is that some new-fangled thing?
I rigorously sanitize ALL data coming into my sites (every single input) and I'd be genuinely surprised if a SQL injection would work on any of them.
I mean, it's just not that fucking hard to guard against, why can't these companies full of hot-dog programmers seem to get it right??
Re: Hack used SQL injection .. (Score:2)
It's sad how many people who 'write code' have never heard of input sanitization or output encoding, let alone parameterized queries. They all think it's someone else's job.
Re: (Score:2)
Yep. parameterized queries are good practice and should be mandatory, but even they can be dispensed with if the incoming data is properly sanitized and validated. They're highly, highly recommended and should really always be used, but half of the problems they solve are related to bad or malicious data getting placed into the query.
But people never learn, do they?
It astounds me that I, a lone guy coding in a home office can apparently write safer, more secure code than Sony, Twitter, Samsung, Facebook, IB
Re: (Score:1)
Thankfully my past few contracts have been sane, but there are a ton of companies out there who hire programmers (the archetypical "H-1B" talked about on Slashdot who is revered by PHBs), whose focus is lines of code and getting a project to a buildable form to make a ship date. Code quality? Who gives a rat's ass, as long as deadlines are met.
Security is, at best, an afterthought. In this economy, it is better to get a website up and money coming in, and then worry about Bobby Tables when it happens, th
Re: (Score:2)
I am guessing your customers are not allowed to be Scottish because they have a quote symbol in their name.
?
Do you mean Irish (O'hare, O'flaherty etc.)?
Or is this some other quote symbol I am not aware of?
Mc"Manus, Mac"Sweeney et al.
The " is silent.
Re: (Score:2)
Re: (Score:2)
If you need to sanitise data you are doing it wrong.
This is one of the stupidest things I've ever heard.
Re: (Score:3)
Security costs money. The lowest bidder rarely bothers with it, and the company sure as hell isn't going to pay to have it properly tested. As far as the boss is concerned the box was ticked, their bonus was secured.
Re: (Score:2)
This is the most basic level of security: Failure to validate user input, and the continued use of dynamic SQL statements rather than prepared statements - something which is a trivial code modification.
Storing customers bank/credit card details in the web-facing application database (as opposed to communicating them to a payment application/processor or separate interna
Re: (Score:2)
Security costs money.
So does a security breach that tanks your stock or allows money to be siphoned out of the company.
And in fact, security doesn't really cost squat when it's done right and baked in at the code level. I have some fairly robust sanitization libraries that I use over and over and over, and it's not costly nor is it a big deal to simply use them when I build an app or a site. We're talking a few extra seconds of typing to add a call to sanitize(type, size, method) to clean the incoming data.
FFS, if I can do it s
Re: (Score:2)
When there is a security breach you play the victim. Evil hackers raped your servers. Anyway, as any pro CEO knows, the trick is to make sure you have moved on by the time it all goes wrong anyway.
Re: (Score:2)
Re: (Score:2)
Eh? (Score:2)
TalkTalk was informing its customers immediately about the attack as a precaution, she added
And yet slashdot is the first place i heard about it.
Re: (Score:2)
Re: (Score:2)
TalkTalk Group (Score:1)