TalkTalk announced that it has been the target of a data breach—its third such attack this year. Details are sketchy because the investigation just began and is still ongoing, but in a worst-case scenario it’s possible the attackers have accessed the entire customer database—compromising sensitive data on up to 4 million customers. TalkTalk also revealed that somebody claiming to be responsible for the hack has contacted the company with a ransom demand.
A website has been set up by TalkTalk to share the few details that are available so far. It opens with, “We are very sorry to tell you that yesterday a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyber-attack on our website on Wednesday 21st October.”
TalkTalk says the data that may be compromised includes customer names, addresses, dates of birth, email addresses, telephone numbers, TalkTalk account information, and even credit card and bank details. The broadband provider is working with authorities and cybercrime experts to investigate the breach, and reaching out to customers to inform them their personal data may be compromised. It is also offering the standard, all-but-obligatory free year of credit monitoring for all affected customers.
A report from Reuters states that TalkTalk has also received a ransom demand. It doesn’t specify the demands, but I assume the payment would be in exchange for not publishing the data publicly on the Web or possibly for not selling it on the cyber black market. TalkTalk CEO Dido Harding is quoted by Reuters saying, “It is hard for me to give you very much detail, but yes, we have been contacted by, I don't know whether it is an individual or a group, purporting to be the hacker.”
“Data thieves sell this information to aggregators, who cross-reference and compile full identities—called “fullz” on the data black market,” explains Ryan Wilk, director with NuData Security. “This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.”
Wilk says that criminals armed with this kind of personal data are a serious threat. Fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for fraud victims for years down the road.
Andy Heather, VP of EMEA for HP Security, warns, “The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.”
The breach is unfortunate and it’s easy to view TalkTalk as the ill-fated victim. It is undeniable that TalkTalk is a victim of some sort of cyber-attack, but like most companies that have data compromised by attackers there’s most likely more that should have been done to protect the data and prevent the breach.
“Clearly there are questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after; perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place,” suggests Richard Cassidy, technical director of EMEA for Alert Logic.
HP’s Heather agrees that too many companies still focus on protecting a “network perimeter” that—for all intents and purposes—doesn’t really exist anymore. “If data is left unprotected, it's not a matter of "if" it will be compromised--it's a matter of "when". Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself.”
Cassidy added, “Fundamentally it is safer to assume that we will be a target of an attack (and in many cases an advanced threat) and look at the problem from the inside out.”
That seems to be the takeaway in data breach after data breach. If the data itself was better protected it wouldn’t matter if attackers can infiltrate the network or compromise the servers its stored on. Instead of trying to block attackers or prevent compromise, companies need to start from the assumption that those things already happened and focus on protecting data and detecting suspicious activity on the network.