UK quad play operator TalkTalk trips up in response to being hit by ‘sustained’ cyber attack on 4m users
Following the news that TalkTalk suffered a “significant and sustained cyber-attack” last week, its CEO, Dido Harding has led a continuous programme of customer information and damage limitation. Much of its response has been by the book, albeit belated, but the latest comments look extremely complacent.
TalkTalk confirmed last week that it suffered a “significant and sustained cyber attack” that began on Wednesday. As Jeremy Cowan writes, some details of the Distributed Denial of Service (DDoS) attack have emerged. The initial attack was not elaborate, the industry views an SQL injection as ‘old hat’ with hackers entering instructions in a web form to access the database. Further information is being kept under wraps by TalkTalk and London’s Metropolitan Police Cyber Crime Unit as part of an ongoing criminal investigation.
The company is now reported to be working with BAe Systems Applied Intelligence division to conduct its own investigations and improve its security procedures. The fact that it is only doing so now, after this the third DDoS attack on its network this year, speaks volumes.
In 2012 TalkTalk became the UK’s second biggest quadruple play service after Virgin Media, offering TV, broadband, phone, and mobile services. It has more than 4 million customers in the UK.
The network operator has now admitted that “unfortunately there is a chance that some of the following data may have been accessed,” including:
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account information
- Credit and debit card details and/or bank details
But, says its CEO, the hacked credit card information cannot be used without additional data.
Speaking in a video to customers on Sunday October 25 TalkTalk CEO, Dido Harding said, “Our website, our shopfront if you like, was attacked. But our core systems weren’t. We don’t store unencrypted credit card data on our site. Any credit card info that may havfe been stolen has the six middle digits blanked out and can’t be used for financial transactions. ”
Free credit monitoring
She also confirmed that the company has set up a free credit monitoring service for its customers with Noddle (for details see link below).
Reports are now emerging that suggest some customers were approached by cyber criminals five days before the hack is said to have taken place (Wednesday, October 21st). Others have reported that their bank account has been emptied, something that was said not to be possible with the hacked data. These claims have yet to be substantiated, however, and still cannot be proven to come as a result of the latest hack.
Harding, whose response had been sure-footed until this point, is quoted as saying yesterday that TalkTalk “was under no legal obligation to encrypt customers’ sensitive data.”
While perfectly true in the legal sense, in our view the response was crass in showing a regrettable disregard for protecting its customers. Nor does it reflect well on TalkTalk’s care for its own reputation and the interests of its shareholders.
It is true that there is no specific requirement for service providers like TalkTalk to encrypt this data under the terms of the UK’s 1998 Data Protection Act legislation — in itself something that may now need to be reviewed — but perhaps it betray the complacent culture within TalkTalk (and probably other operators) that existed before the security breach. It is not enough for operators to point to minimal legal requirements. Perhaps customers voting on this issue with their feet and deserting the operator will convince the TalkTalk CEO of this.
Jon French, security analyst of AppRiver offers advice customers to csutomers who may have been affected. “The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information. If someone calling or emailing you already has information like your name, address, email address, or other account information, that doesn’t mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information like a credit card or password.”
Benjamin Harris, managing security consultant of MWR InfoSecurity adds, “If consumers are heavily concerned about the confidentiality of their debit or credit card, it is recommended that they contact their card issuer to provision replacement cards, thus invalidating the previous credit or debit card used.
“It appears that TalkTalk have been proactive in this instance, and have done the correct things by issuing a public statement and involving the relevant authorities, allowing the attack to be investigated and thus limit any further damage.”
“Incident response is a necessity for most organisations. In this case, it is important that organisations are both proactive and honest about any security breaches, and that they enlist the correct help from the outset. Identifying the attack mechanism is an important step in mitigating the risk, and pre-emptive actions (such as immediately destroying an infected machine) could lose vital evidence that would be useful in identifying the actual impact.
“Organisations should also regularly test their incident response plans. For example, logging and monitoring systems may not be regularly inspected. Realising that a log collation server has not been working for months and has not recorded information relating to a breach can be very frustrating, and these issues can be avoided with regular inspection.”
Account creation frauds on the rise
Ryan Wilk, director, NuData Security says, “This breach potentially exposed records including incredibly personal data such as credit card numbers, name, address, date of birth and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities – called “fullz” on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches. With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for fraud victims for years down the road.
“We’ve seen among our clients that account creation fraud attempts are on a sharp rise. Of the 500+ million account creations we analysed, more than 57% of them were flagged fraudulent and account creation fraud has risen over 100% since February of this year alone. That kind of long-term, big payout fraud can only happen with stolen customer PII (personal identifer information).
This underscores why it’s vital to switch from traditional and insecure KBA-based authentication – easily stolen, hard to replace – to user behavioural analytics (UBA) and passive biometrics. Harness the power of behavioural attributes to authenticate users in ways that are less intrusive yet more secure. We learn how legitimate users act and get a front row seat to watch thieves try and fail to game the system with their stolen data. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard.”
Andy Heather, VP EMEA, HP Security – Data Security says, “This breach highlights a need for companies to place tighter controls on how their customers’ sensitive information is protected. If data is left unprotected, it’s not a matter of ‘if’ it will be compromised – it’s a matter of ‘when’. Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection — via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.
Many leading companies already employ format-preserving encryption to protect the data itself. The TalkTalk attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers’ personal information is now in the hands of cyber criminals, Heather adds.
What’s the data worth?
The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.
The value of this personal data to the cyber criminal has a much greater value, for example where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase to $500. If the cyber criminals know where the real value is then surely we should all expect a responsible organisation to pay appropriate attention to keeping our personal information safe.
Encryption of data is essential to protect customer data not just when it is stored but throughout its entire life cycle, wherever it is, and however is used within an organisation this, along with a robust security stance is the only way to stop criminals profiting from stolen data.”
Some of the criticism levelled at TalkTalk by outsiders revolves around the fact that it has undergone previous attacks yet seems to have remained vulnerable to an old school style of DDoS attack.
For more information go to: http://help2.talktalk.co.uk/oct22incident
Comment on this article below or via Twitter: @jcvplus OR @VanillaPlusMag