Shrugging the slopey shoulders
However, Harding's attempts to shrug off inquiries into her contradictory comments about TalkTalk customers' stolen data – that it wasn't encrypted (25/10/215) and that no unencrypted information had been stolen (27/10/2015) – were directly spurned by digital minister Ed Vaizey on 27 October, in response to an urgent Parliamentary question on data breaches and consume protection in the wake of the TalkTalk breach.
"It has to be said that companies should encrypt their information," Vaizey told Parliament, despite Harding having stated that TalkTalk's obligations towards its customers' data did not not include such protection.
It was on 30 October that the company finally identified what information had been accessed and confessed to losing more than a million customers' email addresses, names, and phone numbers – leaving those customers highly exposed to fraudsters – by playing down the number, describing it as "less than 1.2 million".
In addition, the company acknowledged it had lost:
- Less than 21,000 unique bank account numbers and sort codes
- Less than 28,000 obscured credit card and debit card details
- Less than 15,000 customer dates of birth
The variations in size between these sets of PII suggests that it was not a single, uniform resource holding customers' data which was plundered. Harding threw another spanner in the works on 26 October by claiming the company had been hit by a "sequential attack".
Wim Remes, manager EMEA strategic services at Rapid7, the firm behind the Metaspolit penetration testing tool, explained to The Register that "what TalkTalk (and some news outlets) calls a 'sequential attack' is actually a SQL injection attack (or SQLi as we colloquially call it). This is an attack vector that has been known for more than a decade and it is still found in web applications around the globe. While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place."
While the confusion between a "sequential attack" and a SQL injection attack is an easy enough mistake to make for a firm outside the technology sector, telco customers are entitled to expect more from their providers.
This less-than-encouraging conception of security was not an issue for bare-necked Dido Harding, who suggested that such a view was a core value of TalkTalk's despite pressure mounting on her to resign.
30/10/15: [Sir Charles Dunstone] sent a note to the entire company thanking me for being open about what has happened and what we are doing about it. I feel very supported by the board.
Three suspects have now been arrested in connection with the TalkTalk "cyberattack". Two boys, a 15-year-old from County Antrim, a 16-year-old from London, and a 20-year-old man from Staffordshire have been taken in under unspecified Computer Misuse Act offences. It remains unclear at the moment whether these individuals were nabbed for DDoS attacks or data theft crimes.
02/11/15: We will be contacting affected customers individually to let them know what information has been accessed.
TalkTalk has yet to contact affected customers to let them know what specific information of theirs was breached. With approximately 1.7 per cent of the UK's population affected by the breach, it isn't surprising that the company has yet to offer a timeline for doing so – by its own admission, it hasn't even identified them all yet.
The company additionally avoids stating that its customers' data is now secure.
The Register has still received no response from TalkTalk despite asking numerous questions about its security practices, including whether it employed any specific security personnel, why it had provided contradictory information to The Register, how it would distinguish between its website and its "core systems", and why it had only partially redacted credit card numbers rather than actually encrypting them. ®
If you've been affected by the TalkTalk hack, please contact us: firstname.lastname@example.org.