Feeds

TalkTalk subsidiary's customer data placed on the web in IIS whoopsie

Called TalkTalk, not ListenListen

Intelligent flash storage arrays

Updated Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care.

The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the subsidiary which TalkTalk acquired last November.

The mistake is a classic: Microsoft's IIS - the server that comes with Windows - is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers. In this case, the documents now readily to be found on teh interwebs (and flagged up to us by an alert Reg reader) include all kinds of handy information regarding Greystone customers and what deals they've struck with the TalkTalk tentacle.

The offending Windows box isn't on TalkTalk's own network - it's hosted on the Demon Internet subnet.

"It's not one of our servers, so it's not our problem," a TalkTalk rep told us. "Our firewalls are all secure."

So as long as the company's sensitive data isn't being hosted by TalkTalk then the company has no problem with it being shared around the internet?

Given the propensity of Demon customers to hold static IPs, it seems as if this server is perhaps a contractor's home machine, a conclusion supported by the other documents knocking around the server, which include installation manuals for MS Lync and a file of "hold music" for Manchester-based Titan Telecom.

Open FTP servers are nothing new, but Google's omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them (though a glance at the traffic on the far side of any firewall shows there are still plenty of old-school hackers out there).

What's remarkable is TalkTalk's cavalier attitude to its data. Companies normally protect their customer lists and pricing information, for commercial reasons if not simply good manners, but tracking down the individual running this server is obviously too much effort for TalkTalk (though see update below).

Which is why we're not going to give specific details of this particular server: but if you're contractor, and Demon customer, who has worked for a few telecoms companies and has a liking for IIS, then best check you've unticked the box for anonymous access, just to be sure.

Mind how you go. ®

Updated to Add

Since this piece was published TalkTalk has supplied the Register with this statement:

We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.

We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities.

Also Titan Telecom say that the hold music is not, in fact, theirs.

Providing a secure and efficient Helpdesk

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Will BlackBerry make a comeback with its SQUARE smartphones?
Plus PC PIMs from company formerly known as RIM
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
EE buys 58 Phones 4u stores for £2.5m after picking over carcass
Operator says it will safeguard 359 jobs, plans lick of paint
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Google+ GOING, GOING ... ? Newbie Gmailers no longer forced into mandatory ID slurp
Mountain View distances itself from lame 'network thingy'
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.