Here's how TalkTalk ducked and dived over THAT gigantic hack

Spin still strong, two weeks on

Timeline It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised.

TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million customers' sensitive personal information to be compromised, while explicitly refusing to accept liability towards fraud victims targeted using the information the company had lost.

Here is a review of TalkTalk's incident management, updated with new information revealing how little responsibility TalkTalk has taken for the data breach since 27 October.

We first reported on an outage at on the afternoon of Wednesday 21 October. We published the company's first statement on the matter, which made no suggestion that customers' data had been compromised, but instead attributed the outage to unspecified technical problems.

21/10/2015: The TalkTalk website is unavailable right now. Sorry we are currently facing technical issues, our engineers are working hard to fix it. We apologise for any inconvenience this may cause.

TalkTalk later said the site had been taken down by the company itself. This did not contradict the claim that the company was facing technical problems; however, it comes at a period during which TalkTalk later stated it was not only reacting to a cyberattack but also informing stakeholders, from customers to the police, of the incident.

21/10/2015: We have taken down temporarily, and normal service will be resumed as soon as possible.

In fact, no mention of a cyberattack would be forthcoming for the next 24 hours. It wasn't until the evening of Thursday 22 October that TalkTalk released a statement claiming that it had been attacked, and warning its customers that their data may have been compromised. This came more than 24 hours after TalkTalk said it had reacted to the initial attack specifically to protect its customers' data.

22/10/2015: As soon as we realised the website was under attack, we pulled the site down in an effort to protect data.

Details regarding the attack were not provided at this time and remained undisclosed by the company, who would take another week before identifying what data had been compromised.

In an initial list of potentially compromised Personally Identifiable Information (PII) provided to customers, TalkTalk seems to have simply listed all of the information it held on its customers.

23/10/2015: A criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website yesterday ... there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details.

TalkTalk's statements became increasingly incoherent. Speaking to The Register, it attributed the loss of customers' data to a Distributed Denial of Service (DDoS) attack. A DDoS is only capable of increasing the load on a network resource – and thus taking a website offline. A DDoS is not capable of retrieving information from that resource. However, as you might recall, TalkTalk had already claimed that the company itself had taken offline.

Talking to The Register, infosec firm Trend Micro's Rik Ferguson stated that it was "entirely possible" that there were two attacks, which "went hand in hand, that a DDoS was used to light a metaphorical fire in the front yard while the thieves snuck around the back. It wouldn't be the first time."

A smokescreen DDoS was alleged to be the tactic of choice for hackers who stole the personal details of 2.4 million Carphone Warehouse customers in August. TalkTalk, however, suggested it had only been targeted by a single attack which affected its website and not its "core systems".

TalkTalk is still to provide any information about where it was storing its customers' information. Traditionally, distinguishing between a service provider's "core systems" and "website" may be made in terms of where customer data was actually stored, with a website being merely a protected front-end for its actual business operations.

As can be seen in the URL of TalkTalk's statement ( the incident is attributed to 22 October – which is a day later than it actually occurred. TalkTalk has subsequently claimed there were no delays between it realising it was under attack, it pulling down its site, and it then informing customers that their data may have been compromised. In truth, there were several days in between these events, and TalkTalk has still to confirm what data may have been compromised.

On Friday 23 October, Dido Harding was interviewed by the BBC and again avoided offering specific information about the attack itself. Instead the CEO claimed to have received a ransom notice via email, further explanation of which was denied as it involved "a live criminal investigation".

Harding's response to questions about its security practices at this juncture was to both have her cake and eat it:

23/10/2015: Over the course of the last year, we as a company invested significantly [in security, but] ... it would be wrong of me to give you [complete and unequivocal assurance] today, when the amount of data that these criminals have had access to is very large.

The validity of the ransom demand was not addressed in that interview, but notably contributed to an attention-deflecting public relations coup as commentators rushed to suggest attributions and spot TalkTalk data for sale on the web.

Again communicating with The Register on Friday, the telco claimed it believed its "systems were as secure as they could be," despite admitting that not all of the data it held on its customers was encrypted.

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021