Timeline It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised.
TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million customers' sensitive personal information to be compromised, while explicitly refusing to accept liability towards fraud victims targeted using the information the company had lost.
Here is a review of TalkTalk's incident management, updated with new information revealing how little responsibility TalkTalk has taken for the data breach since 27 October.
We first reported on an outage at TalkTalk.co.uk on the afternoon of Wednesday 21 October. We published the company's first statement on the matter, which made no suggestion that customers' data had been compromised, but instead attributed the outage to unspecified technical problems.
21/10/2015: The TalkTalk website is unavailable right now. Sorry we are currently facing technical issues, our engineers are working hard to fix it. We apologise for any inconvenience this may cause.
TalkTalk later said the site had been taken down by the company itself. This did not contradict the claim that the company was facing technical problems; however, it comes at a period during which TalkTalk later stated it was not only reacting to a cyberattack but also informing stakeholders, from customers to the police, of the incident.
21/10/2015: We have taken down TalkTalk.co.uk temporarily, and normal service will be resumed as soon as possible.
In fact, no mention of a cyberattack would be forthcoming for the next 24 hours. It wasn't until the evening of Thursday 22 October that TalkTalk released a statement claiming that it had been attacked, and warning its customers that their data may have been compromised. This came more than 24 hours after TalkTalk said it had reacted to the initial attack specifically to protect its customers' data.
22/10/2015: As soon as we realised the website was under attack, we pulled the site down in an effort to protect data.
Details regarding the attack were not provided at this time and remained undisclosed by the company, who would take another week before identifying what data had been compromised.
In an initial list of potentially compromised Personally Identifiable Information (PII) provided to customers, TalkTalk seems to have simply listed all of the information it held on its customers.
23/10/2015: A criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website yesterday ... there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details.
TalkTalk's statements became increasingly incoherent. Speaking to The Register, it attributed the loss of customers' data to a Distributed Denial of Service (DDoS) attack. A DDoS is only capable of increasing the load on a network resource – and thus taking a website offline. A DDoS is not capable of retrieving information from that resource. However, as you might recall, TalkTalk had already claimed that the company itself had taken TalkTalk.co.uk offline.
Talking to The Register, infosec firm Trend Micro's Rik Ferguson stated that it was "entirely possible" that there were two attacks, which "went hand in hand, that a DDoS was used to light a metaphorical fire in the front yard while the thieves snuck around the back. It wouldn't be the first time."
A smokescreen DDoS was alleged to be the tactic of choice for hackers who stole the personal details of 2.4 million Carphone Warehouse customers in August. TalkTalk, however, suggested it had only been targeted by a single attack which affected its website and not its "core systems".
TalkTalk is still to provide any information about where it was storing its customers' information. Traditionally, distinguishing between a service provider's "core systems" and "website" may be made in terms of where customer data was actually stored, with a website being merely a protected front-end for its actual business operations.
As can be seen in the URL of TalkTalk's statement (http://help2.talktalk.co.uk/oct22incident) the incident is attributed to 22 October – which is a day later than it actually occurred. TalkTalk has subsequently claimed there were no delays between it realising it was under attack, it pulling down its site, and it then informing customers that their data may have been compromised. In truth, there were several days in between these events, and TalkTalk has still to confirm what data may have been compromised.
On Friday 23 October, Dido Harding was interviewed by the BBC and again avoided offering specific information about the attack itself. Instead the CEO claimed to have received a ransom notice via email, further explanation of which was denied as it involved "a live criminal investigation".
Harding's response to questions about its security practices at this juncture was to both have her cake and eat it:
23/10/2015: Over the course of the last year, we as a company invested significantly [in security, but] ... it would be wrong of me to give you [complete and unequivocal assurance] today, when the amount of data that these criminals have had access to is very large.
The validity of the ransom demand was not addressed in that interview, but notably contributed to an attention-deflecting public relations coup as commentators rushed to suggest attributions and spot TalkTalk data for sale on the web.
How can TalkTalk CEO still "not know" if the data "accessed" by theives was encrypted or not? Beyond a farce. https://t.co/mfzuM1c17i— Rik Ferguson (@rik_ferguson) October 23, 2015
Again communicating with The Register on Friday, the telco claimed it believed its "systems were as secure as they could be," despite admitting that not all of the data it held on its customers was encrypted.