TalkTalk had ‘no legal obligation’ to encrypt customers’ sensitive data

Potentially as many as 4 million customers were affected by the cyberattack on UK telecoms provider TalkTalk, yet the company’s CEO Dido Harding admitted that TalkTalk was “not legally required” to encrypt customer data. Harding told the Sunday Times “[Our data] wasn’t encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information.”

While that may be true, such a statement provides little comfort to TalkTalk customers who are targets of high-level social engineering attacks meant to empty their bank accounts.

After news of the cyberattack broke last week, TalkTalk’s official statement warned customers that attackers may have their names, addresses, birth dates, email addresses, phone number, account information, banking details and/or credit and debit cards on file.

“Any credit or debit card details that may have been accessed had a series of numbers hidden, e.g. 0123 45xx xxxx 6789,” the company said. “This means they can’t be used for financial transactions. TalkTalk My Account passwords have not been accessed.”

Then, on Friday, TalkTalk said it received a ransom demand for £80,000 in bitcoins, currently equal to about 430 bitcoins and roughly $122,875. An anonymous source told Brian Krebs that “the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company.”

Regarding the theft of up to 4 million customers’ personal info, Krebs reported that promises to post the stolen data appeared on the Deep Web black marketplace AlphaBay. AlphaBay seller “Courvoisier,” a “Level 6 Fraud and Drugs seller,” said the TalkTalk data would be supplied in the format of:

• Name
• DOB
• Address
• TenancyType
• YearsAtAddress
• MonthsAtAddress
• HomeTelephone
• MobileTelephone
• Email
• Employer
• EmploymentTitle
• EmploymentLocation
• EmployersPhone
• Bank
• AccountNumber
• SortCode

Although Scotland Yard detective Adrian Culley told the BBC that “a Russian Islamist group had posted online to claim responsibility for the attacks,” that claim had not been verified. Krebs on Security reported that “multiple hacker collectives” have claimed responsibility for hacking TalkTalk. It has been reported that “specialists from BAE Systems have been called in by TalkTalk to track down the hackers.”

TalkTalk first mentioned a “sustained” DDoS attack, which didn’t explain the stolen customer data, before the company admitted there had also been a SQL injection attack. The cyberattack “was on our website not our core systems,” TalkTalk said. But using a DDoS as a smokescreen to keep targets so busy they don’t notice the “real” hack happening is nothing out of the ordinary, according to Wim Remes, Strategic Services Manager EMEA for Rapid7.

Remes said:

As the TalkTalk breach story continues to unfold, I think there are a few key points that are worth discussing. What TalkTalk (and some news outlets) calls a “sequential attack” is actually a SQL injection attack (or SQLi as we colloquially call it). This is an attack vector that has been known for more than a decade and it is still found in web applications around the globe. While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place. Through SQL injection an attacker can request arbitrary data from the database behind the application. It would be prudent to assume that all data kept within the database is now compromised. TalkTalk also mentions seeing a DDoS attack prior to the actual breach. The tactic of inundating an application with traffic to hide the real attack going on at the same time is very common nowadays. By distracting the target, the attacker buys more time to focus on the assets they are really after. Organizations can address this by implementing multi-layer monitoring systems.

Lastly, once again we see a public company being attacked and customer data getting compromised. If information security is not on the agenda of your executive team and board, it really should be. Only by understanding how information risk influences operational risk can organizations get a full view of their risk landscape and make the right investments to prevent.

Add to this mix a report from The Guardian that “Paul Moore, an information security consultant, wrote in a blogpost published last September that he had contacted Harding’s office about vulnerabilities on TalkTalk’s website but said the company’s response was ‘aggressive, defensive and dismissive’.”

Asking if TalkTalk’s data was encrypted is “silly,” according to a post by Alan Solomon on Graham Cluley’s site. Encryption would be irrelevant because, “in a scenario of ‘authorized user accessing the data.’ the encrypted data will be decrypted and supplied, because the authorized user gave the correct decryption key.”

Yet Mateo Meier, CEO of Artmotion, said, “Given that 2015 was the year in which British politicians went ‘on the offensive’ against high-level encryption technologies, events like this just go to highlight how foolish it would be to subvert encryption technology in the age of the cyber attack.” His company’s latest research revealed that “45% of IT decision makers rank cyber-attacks as their biggest concern in 2015 – closely followed by government surveillance. At the same time, 76% claim that they are not happy with the current levels of encryption, with nearly 1 in 5 willing to support a stronger encryption regardless of the supposed impact on national security.”

The attack on TalkTalk “is a clear example of how a lack of encryption can fundamentally destabilize a large organization,” added Meier. “At the end of the day, privacy is a right. Consumers want it, and businesses should want to supply it. By failing to support the necessary encryption technologies, both businesses and politicians will be doomed to repeat the failures of today.”