For nearly a year we have had a tale we’ve told to friends and business associates. The tale involves TalkTalk and how one day we found the data breach, alerted them and sparked the controversy that we all know to this day as ‘The TalkTalk Breach of 2015’. It’s been a funny year, with one NDA or another we’ve sometimes even doubted if we did actually discover it… we are sure we did but with so little cooperation from this goliath corporation it was hard to actually verify our claim.
Last year we wrote this article which showcased the out of date infrastructure they hosted, a relic of the Tiscali era. We were able to detail more than one issue on the infrastructure and I urged them to decommission the old .net domain that it sat on – the year old blog post explains in great detail.
The following days were a spectacle as Dido Harding famously fluffed the reporting of the event. They lost quite a bit of credibility, the whole event was mismanaged and the share price dropped like an old hot air balloon taking on ballast – but it could have been worse:
Rob Cotton, chief executive of cyber security consultancy NCC, said: “TalkTalk should count themselves lucky this has happened now and not once GDPR is in play. If TalkTalk had been given the maximum fine, it would be looking at a bill of £73m.”
They didn’t thank us for pointing out the weaknesses and at one point we were even called into their Irlam offices for a grilling by their security team. To this day they have never thanked us and we are disgusted at how they have treated our small consultancy.
It’s taken a year but there seems to be a resolve to this event now. We sincerely thank the ICO for pushing for fairness in a world of corporate cloak and daggers. A record fine of £400,000 is more than a token fee – it shows me that someone does care. OK for a giant like TalkTalk, the fine is chump change (0.02% of total revenue), but given the ICO maximum fine is £500,000 it is ‘adequate’.
The Guardian’s report details:
Data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009, the ICO said. It added that the data was accessed through an attack on three vulnerable webpages in the “inherited infrastructure” (The .NET Stuff).
TalkTalk was said to have failed to properly scan this infrastructure for possible threats and was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
It is nice to have this kind of resolve, we can put this event behind us now and move on to bigger and better clients, it has shown us a lot about how the big corporates work and in hindsight, we have gained the kind of experience that money could never buy. Never again will we disclose a vulnerability to lower-level IT staff. Never will we trust them to do the ethical thing and never will we make the same mistakes we made in 2015.
The most interesting thing we are left with is the ICO’s investigation timeline. (Found here) overlaid with our own disclosures.
- 9/10/2015 – Our article is published, following confidential disclosure. TalkTalk decides to ignore our advice.
- 15-21/10/2015 – SQLi Hack aka ‘Sequential Cyber Attack’.
- 21/10/2015 – We email a TalkTalk senior tech, who was on annual leave. (Screenshot Here and below)
- 21/10/2015 – TalkTalk website down.
- 23/10/2015 – Attack hits the headlines.
- 26/10/2015 – House of Commons steps in.
Moving from the hype we want to urge companies to perform some routine security maintenance.
- When you acquire a new company, don’t just transfer the domain over and sit back. You are now responsible for that companies infrastructure. Decommission it or integrate it properly into your security testing schedule.
- Perform regular vulnerability scans, actively look for threats. Scan for malware, hunt for misconfigurations.