Here's how TalkTalk ducked and dived over THAT gigantic hack

Spin still strong, two weeks on

Timeline It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised.

TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million customers' sensitive personal information to be compromised, while explicitly refusing to accept liability towards fraud victims targeted using the information the company had lost.

Here is a review of TalkTalk's incident management, updated with new information revealing how little responsibility TalkTalk has taken for the data breach since 27 October.

We first reported on an outage at on the afternoon of Wednesday 21 October. We published the company's first statement on the matter, which made no suggestion that customers' data had been compromised, but instead attributed the outage to unspecified technical problems.

21/10/2015: The TalkTalk website is unavailable right now. Sorry we are currently facing technical issues, our engineers are working hard to fix it. We apologise for any inconvenience this may cause.

TalkTalk later said the site had been taken down by the company itself. This did not contradict the claim that the company was facing technical problems; however, it comes at a period during which TalkTalk later stated it was not only reacting to a cyberattack but also informing stakeholders, from customers to the police, of the incident.

21/10/2015: We have taken down temporarily, and normal service will be resumed as soon as possible.

In fact, no mention of a cyberattack would be forthcoming for the next 24 hours. It wasn't until the evening of Thursday 22 October that TalkTalk released a statement claiming that it had been attacked, and warning its customers that their data may have been compromised. This came more than 24 hours after TalkTalk said it had reacted to the initial attack specifically to protect its customers' data.

22/10/2015: As soon as we realised the website was under attack, we pulled the site down in an effort to protect data.

Details regarding the attack were not provided at this time and remained undisclosed by the company, who would take another week before identifying what data had been compromised.

In an initial list of potentially compromised Personally Identifiable Information (PII) provided to customers, TalkTalk seems to have simply listed all of the information it held on its customers.

23/10/2015: A criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website yesterday ... there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details.

TalkTalk's statements became increasingly incoherent. Speaking to The Register, it attributed the loss of customers' data to a Distributed Denial of Service (DDoS) attack. A DDoS is only capable of increasing the load on a network resource – and thus taking a website offline. A DDoS is not capable of retrieving information from that resource. However, as you might recall, TalkTalk had already claimed that the company itself had taken offline.

Talking to The Register, infosec firm Trend Micro's Rik Ferguson stated that it was "entirely possible" that there were two attacks, which "went hand in hand, that a DDoS was used to light a metaphorical fire in the front yard while the thieves snuck around the back. It wouldn't be the first time."

A smokescreen DDoS was alleged to be the tactic of choice for hackers who stole the personal details of 2.4 million Carphone Warehouse customers in August. TalkTalk, however, suggested it had only been targeted by a single attack which affected its website and not its "core systems".

TalkTalk is still to provide any information about where it was storing its customers' information. Traditionally, distinguishing between a service provider's "core systems" and "website" may be made in terms of where customer data was actually stored, with a website being merely a protected front-end for its actual business operations.

As can be seen in the URL of TalkTalk's statement ( the incident is attributed to 22 October – which is a day later than it actually occurred. TalkTalk has subsequently claimed there were no delays between it realising it was under attack, it pulling down its site, and it then informing customers that their data may have been compromised. In truth, there were several days in between these events, and TalkTalk has still to confirm what data may have been compromised.

On Friday 23 October, Dido Harding was interviewed by the BBC and again avoided offering specific information about the attack itself. Instead the CEO claimed to have received a ransom notice via email, further explanation of which was denied as it involved "a live criminal investigation".

Harding's response to questions about its security practices at this juncture was to both have her cake and eat it:

23/10/2015: Over the course of the last year, we as a company invested significantly [in security, but] ... it would be wrong of me to give you [complete and unequivocal assurance] today, when the amount of data that these criminals have had access to is very large.

The validity of the ransom demand was not addressed in that interview, but notably contributed to an attention-deflecting public relations coup as commentators rushed to suggest attributions and spot TalkTalk data for sale on the web.

Again communicating with The Register on Friday, the telco claimed it believed its "systems were as secure as they could be," despite admitting that not all of the data it held on its customers was encrypted.

Similar topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022