TalkTalk incident management: A timeline

Let's waft away the spin and take a hard look


Timeline Contradictory statements issued by TalkTalk regarding the third data breach the company has experienced this year have provided inadequate information to the telco's customers about their data, while effectively insulating the company from questions regarding its security practices with insubstantive, and at times incoherent, PR emissions.

Following the arrest of a 15-year-old boy on unspecified Computer Misuse Act offences, The Register recaps:

We first reported on an outage at TalkTalk.co.uk on the afternoon of Wednesday 21 October. We published the company's first statement on the matter, which made no suggestion that customers' data had been compromised, but instead attributed the outage to unspecified technical issues.

21/10/2015: The TalkTalk website is unavailable right now. Sorry we are currently facing technical issues, our engineers are working hard to fix it. We apologise for any inconvenience this may cause.

We were subsequently updated by TalkTalk that the site had been taken down by the company itself, which does not contradict the claim that the company was facing technical issues, however comes at a period during which the company later stated it was not only reacting to a cyberattack but also informing stakeholders, from customers to the police, of the incident.

21/10/2015: We have taken down TalkTalk.co.uk temporarily, and normal service will be resumed as soon as possible.

In fact, no mention of a cyberattack would be forthcoming for the next 24 hours. It wasn't until the evening of Thursday 22 October that TalkTalk released a statement claiming that it had been attacked, and warning its customers that their data may have been compromised. This came more than 24 hours after, by TalkTalk's own statement, it had reacted to the initial attack specifically to protect its customers' data.

22/10/2015: As soon as we realised the website was under attack, we pulled the site down in an effort to protect data.

Details regarding the attack were, and remain, sparse. In an initial list of potentially compromised Personally Identifiable Information (PII) provided to customers, TalkTalk seems to have simply provided a list of all the information it held on its customers. There was, at this time, no suggestion of what the attack had been, what it had targeted, and what had actually been compromised.

23/10/2015: A criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website yesterday ... there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details.

TalkTalk's statements became increasingly technically incoherent, and talking to The Register, it attributed the loss of customers' data to a Distributed Denial of Service (DDoS) attack. A DDoS is only capable of increasing the load on a network resource - and thus taking a website offline - and not capable of retrieving information from that resource. However, as you might recall, TalkTalk had already claimed that the company itself had taken TalkTalk.co.uk offline.

Talking to The Register, Trend Micro's Rik Ferguson stated that it was "entirely possible" that there were two attacks, which "went hand in hand, that a DDoS was used to light a metaphorical fire in the front yard while the thieves snuck around the back. It wouldn't be the first time."

A smokescreen DDoS was alleged to be the tactic of choice for hackers who stole the personal details of 2.4 million Carphone Warehouse customers in August.

TalkTalk, however, suggested it had only been targeted by a single attack which affected its website, and not its "core systems".

TalkTalk has yet to provide any information about where it was storing its customers information. Traditionally, distinguishing between a service provider's "core systems" and "website" may be made in terms of where customer data was actually stored, with a website being merely a protected front-end for its actual business operations.

As can be witnessed in the URL of TalkTalk's statement (http://help2.talktalk.co.uk/oct22incident) the incident is attributed to 22 October - which is a day later than it actually occurred. TalkTalk has subsequently claimed there were no delays between it realising it was under attack, it pulling down its site, and it then informing customers that their data may have been compromised. In truth there were several days in between these events, and TalkTalk has still to confirm what data may have been compromised.

On Friday 23 October, Dido Harding was interviewed by the BBC where she avoided offering specific information about the attack itself. Instead the CEO claimed to have received a ransom notice via email, further explanation of which was denied as it involved "a live criminal investigation".

The validity of the ransom demand was not addressed in that interview, but notably contributed to an attention-deflecting public relations coup as commentators rushed to suggest attributions and spot TalkTalk data for sale on the web.

Again communicating with The Register on Friday, the telco claimed it believed its "systems were as secure as they could be," despite admitting that not all of the data it held on its customers was encrypted.

When Harding admitted TalkTalk may have not encrypted its customers' bank details, it was as a claim made to soothe customers by claiming that the information which had been stolen was "incomplete".

24/10/2015: We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account.

This raised concerns regarding TalkTalk's thoughts regarding security - specifically regarding its means for secure storage. The minor obfuscation of credit card detail digits may not completely reduce TalkTalk customers' exposure to phishing emails or identity theft scams. Harding confirmed her lack of concern over this detail in an interview with the Sunday Times.

25/10/2015: It wasn't encrypted, nor are you legally required to encrypt it ... We have complied with all of our legal obligations in terms of storing of financial information.

TalkTalk's claims that it was not under a legal obligation to encrypt users' data may be correct, dependent upon interpretation of the Data Protection Act 1998 (DPA) Principle 7 which states only that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Establishing what security measures may be considered "appropriate" will be key to TalkTalk's attempts to claim it has not negligently breached the DPA. The telco has so far absolved itself of responsibility, despite Harding issuing a soft "Sorry" during her BBC interview. TalkTalk's site denies a breach of the DPA, noting "This is a criminal attack. We have notified the [Information Commissioner's Office (ICO)] and we will work closely with them over the coming weeks and months."

The ICO was notified on Thursday evening, at the same time that TalkTalk went public.

Youtube Video

Harding provided a video statement at 1pm on Monday 26 October, although it offered no more details of the attack, nor did it explain what information had been stolen and/or used by the criminals to target TalkTalk customers.

The number of customers affected and the amount of data potentially stolen is smaller than originally feared.

We don't store unencrypted data on our site, any credit card info which may have been stolen has the six middle digits blanked out and can't be used for financial transactions.

No My Account passwords have been stolen.

No banking details have been taken that you wouldn't already be sharing when you write a cheque or give to someone so they can pay money into your account.

Following the arrest of a 15-year-old boy on Monday evening, within a week of the cyberattack on TalkTalk's website, the company stated its victimhood, bemoaning the fact that "cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent."

At this juncture, Harding began to loosen up about the company's approach to customers wishing to terminate their relationship with the data-spaffing telco.

Harding, an avid vlogging enthusiast, delivered another piece to camera with this suggestion:

In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack (rather than as a result of any other information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees.

Additional information provided by TalkTalk suggests there are three requirements before current customers will be allowed to cancel their contracts:

  • You have had money taken from your account without your consent and you have incurred a financial loss as as result.
  • The money was taken on or after the 21st October 2015.
  • You have contacted Action Fraud and obtained a Crime Reference Number.

TalkTalk additionally is accepting no liability for other possible expenses customers may have to bear as a result of the breach.

The Register has contacted TalkTalk and made many enquiries regarding its security practices. We had not received any answer to our enquiries at the time of publication. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022