First, the level of technical incompetence is staggering:
* Two significant breaches in 7 months
* Bank/CC and personal details stored unencrypted
* Pssswords stored in cleartext
* "We have taken all necessary measures to secure the website." That's what they said last time.
Second, the response is laughable:
* Two days since the breach was discovered, and customers still haven't been notified.
* No mention of the breach on the talktalk.co.uk home page.
* The site in question [1] says it is offline due to an attack, but doesn't like to the relevant help page [2]
The number of sites that have flaws like you mentioned (encrypted data and clear text passwords) is worrying.
Is there not a independent third part that can audit sites for this kind of incompetence and rank or award compliant sites so consumers can factor this in when choosing services?
Yes, PCI QSAs. All they can do, and all the ICO can do, is fine you. A typical fine might be £10k-£100k. For these large businesses, they see it as being more cost effective to be cavalier about security and pay off the authorities. See amazon's credit card handling, for instance.
>> We have taken all necessary measures to secure the website
It is probably wrong to read too much into the wording. But it is jarring when a company of this size presents their website as if it is external to the rest of their operations.
Yes, it sounds hilarious to me, but I think it says more about the technical knowledge of the population they are trying to communicate with than TalkTalk's own technical knowledge.
"TalkTalk's speedy decision to warn all of its customers that their vital data is at risk suggests that this one is very serious indeed."
Not all its customers obviously.
I left Talktalk a month ago as a customer but I could still login to my account online to download and settle my final bills. I'm pretty sure they still store my bank account and credit card info on their end and they didn't warn me about the attack...
Some current customers I know also haven't been told. Emailing millions of people at once takes some amount of planning/notification/staggering or I'm told you can fall foul of anti-spam measures.
LastPass faced similar notification delay issues when they recently suffered a breach.
Companies as large as TalkTalk should have a process in place for contacting their customers in exactly these kind of situations. They shouldn't be waiting until an event occurs and then going, "oh right, er, how do we tell everyone?"
... but you know, that's expensive. Shareholders don't care about money being wasted on security and precautions. After all, you only really need to wear seatbelts if you crash.
Also, as a customer on my parents behalf, I've not received any communications either.
Do CEOs/directors of companies get hit but these data breaches, do we need to start insisting their personal/banking data is stored the same as customers so they get impacted? Too many companies just don't take security seriously enough.
* Two significant breaches in 7 months * Bank/CC and personal details stored unencrypted * Pssswords stored in cleartext * "We have taken all necessary measures to secure the website." That's what they said last time.
Second, the response is laughable:
* Two days since the breach was discovered, and customers still haven't been notified. * No mention of the breach on the talktalk.co.uk home page. * The site in question [1] says it is offline due to an attack, but doesn't like to the relevant help page [2]
[1] https://myaccount.talktalk.co.uk/ [2] http://help2.talktalk.co.uk/oct22incident