Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
United Kingdom Communications Security

TalkTalk Customer Data At Risk After Cyber-attack On Company Website (theguardian.com) 46

An anonymous reader writes: Police are investigating a "significant and sustained" cyber-attack on the website of TalkTalk, an internet and TV provider, which could have compromised customers' credit card and other personal details. The telecoms provider has 4 million customers in the UK. It is the second time in the past 12 months that TalkTalk customers have been affected by data breaches. "We are continuing to work with leading cybercrime specialists and the Metropolitan police to establish exactly what happened and the extent of any information accessed," the company said on Thursday night after revealing the attack, which took place on Wednesday.

Its chief executive, Dido Harding, said: "We take any threat to the security of our customers' data extremely seriously, and we are taking all the necessary steps to understand what has happened here." TalkTalk was informing its customers immediately about the attack as a precaution, she added.

This discussion has been archived. No new comments can be posted.

TalkTalk Customer Data At Risk After Cyber-attack On Company Website

Comments Filter:
  • Only we to stop this from happening is to make companies 100% financially responsible for all loses predicated by their lost data. We need those laws passed now, and then make an example out of the next one, hopefully driving them into bankruptcy.
    • Under tort law, they are liable. They clearly failed to put into place sensible and reasonable safeguards to protect their clients' sensitive data. CEO Dido Harding made a press statement that she didn't know if the banking details on TalkTalk's database were encrypted (gross negligence, in my opinion).

      However, we live in an age of blameless, shameless corporations who know that, as long as they don't emabarrass any powerful people (that doesn't include politicians), they can get away with just about anythi

      • Baroness Harding of Winscombe studied Philosophy, Politics and Economics at Oxford. I doubt she even knows what encryption is. She certainly doesn't know the difference between a DDOS attack and an SQL injection attack.

      • by mikael ( 484 )

        So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.

        In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID

        • So what if the databases were encrypted, the hackers would look for a system that had the encryption keys. Talk-Talk insist on every customer using Direct-Debit, rather than online payments or online billing, so they demand everyone's bank details. They could have simply given customers the choice of how to pay.

          In Norway, companies just send you an email with the Faktura and KID number. You use online banking to make the payment with confirmation going through your mobile phone with BankID

          It's a lot easier and more convenient to set up a Direct Debit and have it paid each month without having to do anything, especially for things like TV/phone subscriptions which probably don't vary from month to month anyway.

          I do not want to have to manually pay my gas, electricity, water, rent, mortgage, life assurance, medical insurance, car insurance, house insurance, pet insurance, gym subs, golf club membership, student loan repayment, charity donations, child support, TV, mobile phone, broadband, c

  • 'Reports suggest that TalkTalk was subjected to a distributed denial-of-service (DDoS) attack that enabled the attackers to utilise SQL injection [engadget.com] techniques. SQL injection allows an attacker to feed commands to a database (that shouldn't normally be accessible) via a poorly-designed website form or input box.'
    • by JustAnotherOldGuy ( 4145623 ) on Friday October 23, 2015 @07:58PM (#50791239)

      Fucking aye, have these people never heard of sanitizing data, or is that some new-fangled thing?

      I rigorously sanitize ALL data coming into my sites (every single input) and I'd be genuinely surprised if a SQL injection would work on any of them.

      I mean, it's just not that fucking hard to guard against, why can't these companies full of hot-dog programmers seem to get it right??

      • It's sad how many people who 'write code' have never heard of input sanitization or output encoding, let alone parameterized queries. They all think it's someone else's job.

        • Yep. parameterized queries are good practice and should be mandatory, but even they can be dispensed with if the incoming data is properly sanitized and validated. They're highly, highly recommended and should really always be used, but half of the problems they solve are related to bad or malicious data getting placed into the query.

          But people never learn, do they?

          It astounds me that I, a lone guy coding in a home office can apparently write safer, more secure code than Sony, Twitter, Samsung, Facebook, IB

      • by Anonymous Coward

        Thankfully my past few contracts have been sane, but there are a ton of companies out there who hire programmers (the archetypical "H-1B" talked about on Slashdot who is revered by PHBs), whose focus is lines of code and getting a project to a buildable form to make a ship date. Code quality? Who gives a rat's ass, as long as deadlines are met.

        Security is, at best, an afterthought. In this economy, it is better to get a website up and money coming in, and then worry about Bobby Tables when it happens, th

      • by AmiMoJo ( 196126 )

        Security costs money. The lowest bidder rarely bothers with it, and the company sure as hell isn't going to pay to have it properly tested. As far as the boss is concerned the box was ticked, their bonus was secured.

        • Except we're not talking about complex security models such as role-based access, split encryption keys, external audits and pen-tests.

          This is the most basic level of security: Failure to validate user input, and the continued use of dynamic SQL statements rather than prepared statements - something which is a trivial code modification.
          Storing customers bank/credit card details in the web-facing application database (as opposed to communicating them to a payment application/processor or separate interna
        • Security costs money.

          So does a security breach that tanks your stock or allows money to be siphoned out of the company.

          And in fact, security doesn't really cost squat when it's done right and baked in at the code level. I have some fairly robust sanitization libraries that I use over and over and over, and it's not costly nor is it a big deal to simply use them when I build an app or a site. We're talking a few extra seconds of typing to add a call to sanitize(type, size, method) to clean the incoming data.

          FFS, if I can do it s

          • by AmiMoJo ( 196126 )

            When there is a security breach you play the victim. Evil hackers raped your servers. Anyway, as any pro CEO knows, the trick is to make sure you have moved on by the time it all goes wrong anyway.

    • That makes no sense. How could a DOS assist a SQL injection attack?
      • Assuming we're being told the truth, it could have been used as a distraction from the main attack. But apparently the hackers got hold of some third-party [bbc.co.uk] login credentials using social engineering and used these to leverage access to the customer database. What this unencrypted database was even doing accessible from the Web just beggars incredulity. Are they teaching them anything in computer school nowadays.
  • by tomxor ( 2379126 )

    TalkTalk was informing its customers immediately about the attack as a precaution, she added

    And yet slashdot is the first place i heard about it.

  • Looks like they took on too many customers and it was overload. They took all of virgin net dial-up customers in just one day because virgin wanted to switch to broadband cable users only and cable television and telephones. "people in the U.K. hate TalkTalk Telephone and Internet because their sales staff bombard them with special offers nuisance calls and spam". Really? https://en.wikipedia.org/wiki/... [wikipedia.org] "Virgin broadband customers told: we're moving you to TalkTalk and you'll lose your email Virgin

"Kill the Wabbit, Kill the Wabbit, Kill the Wabbit!" -- Looney Tunes, "What's Opera Doc?" (1957, Chuck Jones)

Working...