TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

ISP calls in BAE Systems to probe security breach

TalkTalk continued on its quest to be painted merely as a victim of crime today, while the budget ISP's website remained offline following a huge attack on its business earlier this week.

In an interview with the Sunday Times, Harding said that her company was under no "legal obligation" to encrypt sensitive customer data, such as bank account details.

"It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper. "We have complied with all of our legal obligations in terms of storing of financial information."

She added: "The bad stuff that can happen is actually because the criminal then scams you further."

TalkTalk has claimed that the data nicked by malefactors was "materially lower" than feared. However, the company was yet to reveal exactly how many of its customers were at risk of being targeted by scammers following the raid on its website.

On Saturday, TalkTalk attempted damage limitation by saying that the attack was less serious than first thought. But the company did reveal that some credit card information had been snatched.

Meanwhile, it has been claimed by security blogger Brian Krebs that the uncorroborated ransom message received by TalkTalk CEO Dido Harding included a demand for $80,000 in Bitcoin.

Krebs wrote:

A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company.

The Register asked TalkTalk to tell us more about the ransom demand, which may possibly be unconnected to the latest attack on the telco's systems, given that TalkTalk suffered earlier security breaches in February and July this year.

A company spokesbeing told us: "We can't comment on the message, due to the ongoing police investigation."

El Reg also wanted to know how soon TalkTalk's website might return to life.

"TalkTalk and BAE Systems are working together to investigate the website breach. BAE's cyber-specialists are currently analysing vast quantities of data to help establish how the breach happened and what information was stolen," we were told.

The spokesbeing added: "Hoping to get the site up and running as quickly as possible, but obviously we will not do so until we are confident that all aspects are as secure as possible." ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022