
TalkTalk cyber-attack: Website hit by 'significant' breach - sjclemmy
http://www.bbc.co.uk/news/uk-34611857
======
scoot
First, the level of technical incompetence is staggering:

* Two significant breaches in 7 months * Bank/CC and personal details stored unencrypted * Pssswords stored in cleartext * "We have taken all necessary measures to secure the website." That's what they said last time.

Second, the response is laughable:

* Two days since the breach was discovered, and customers still haven't been notified. * No mention of the breach on the talktalk.co.uk home page. * The site in question [1] says it is offline due to an attack, but doesn't like to the relevant help page [2]

[1] [https://myaccount.talktalk.co.uk/](https://myaccount.talktalk.co.uk/) [2]
[http://help2.talktalk.co.uk/oct22incident](http://help2.talktalk.co.uk/oct22incident)

~~~
robmcm
The number of sites that have flaws like you mentioned (encrypted data and
clear text passwords) is worrying.

Is there not a independent third part that can audit sites for this kind of
incompetence and rank or award compliant sites so consumers can factor this in
when choosing services?

~~~
Benichmt1
There's this site which acts as a 'wall of shame' for blatant violations of
storing passwords in plaintext -
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

Not sure if it's actually effective at getting things done but certainly is a
nice reminder for the consumer to be careful.

------
ctz
Paul Moore's findings from one year ago: [https://paul.reviews/value-security-
avoid-talktalk/](https://paul.reviews/value-security-avoid-talktalk/)

------
dtf
Someone on the radio just said it was an SQL injection. Can it get any more
comical?

Meanwhile TalkTalk & Met Police PR machines are in full flow talking up exotic
claims of cyberjihadiism to deflect responsibility.

------
oneeyedpigeon
They have now, apparently, received a ransom demand:
[https://news.ycombinator.com/item?id=10438175](https://news.ycombinator.com/item?id=10438175)

~~~
merah
I added a link in that thread, but I'll post it here also as this is currently
front-page and may be of use to readers:

Pastebin message reported to be from the hackers [1] contains Islamic State
references/language and some samples of the data breach.

[1] [http://pastebin.com/HHT4BxJA](http://pastebin.com/HHT4BxJA)

------
stzup7
"TalkTalk's speedy decision to warn all of its customers that their vital data
is at risk suggests that this one is very serious indeed."

Not all its customers obviously. I left Talktalk a month ago as a customer but
I could still login to my account online to download and settle my final
bills. I'm pretty sure they still store my bank account and credit card info
on their end and they didn't warn me about the attack...

~~~
PuffinBlue
Some current customers I know also haven't been told. Emailing millions of
people at once takes some amount of planning/notification/staggering or I'm
told you can fall foul of anti-spam measures.

LastPass faced similar notification delay issues when they recently suffered a
breach.

~~~
tonylemesmer
Companies as large as TalkTalk should have a process in place for contacting
their customers in exactly these kind of situations. They shouldn't be waiting
until an event occurs and then going, "oh right, er, how do we tell everyone?"

~~~
test1235
... but you know, that's expensive. Shareholders don't care about money being
wasted on security and precautions. After all, you only really need to wear
seatbelts if you crash.

Also, as a customer on my parents behalf, I've not received any communications
either.

------
bauc
Do CEOs/directors of companies get hit but these data breaches, do we need to
start insisting their personal/banking data is stored the same as customers so
they get impacted? Too many companies just don't take security seriously
enough.

~~~
test1235
"I'm a customer myself of Talk Talk, I've been a victim of this attack."

\- TalkTalk chief executive Dido Harding

------
tonylemesmer
I was briefly a customer about 4 years ago - I wonder if my details are in the
cache.

