Feeds

TalkTalk subsidiary's customer data placed on the web in IIS whoopsie

Called TalkTalk, not ListenListen

Top three mobile application threats

Updated Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care.

The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the subsidiary which TalkTalk acquired last November.

The mistake is a classic: Microsoft's IIS - the server that comes with Windows - is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers. In this case, the documents now readily to be found on teh interwebs (and flagged up to us by an alert Reg reader) include all kinds of handy information regarding Greystone customers and what deals they've struck with the TalkTalk tentacle.

The offending Windows box isn't on TalkTalk's own network - it's hosted on the Demon Internet subnet.

"It's not one of our servers, so it's not our problem," a TalkTalk rep told us. "Our firewalls are all secure."

So as long as the company's sensitive data isn't being hosted by TalkTalk then the company has no problem with it being shared around the internet?

Given the propensity of Demon customers to hold static IPs, it seems as if this server is perhaps a contractor's home machine, a conclusion supported by the other documents knocking around the server, which include installation manuals for MS Lync and a file of "hold music" for Manchester-based Titan Telecom.

Open FTP servers are nothing new, but Google's omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them (though a glance at the traffic on the far side of any firewall shows there are still plenty of old-school hackers out there).

What's remarkable is TalkTalk's cavalier attitude to its data. Companies normally protect their customer lists and pricing information, for commercial reasons if not simply good manners, but tracking down the individual running this server is obviously too much effort for TalkTalk (though see update below).

Which is why we're not going to give specific details of this particular server: but if you're contractor, and Demon customer, who has worked for a few telecoms companies and has a liking for IIS, then best check you've unticked the box for anonymous access, just to be sure.

Mind how you go. ®

Updated to Add

Since this piece was published TalkTalk has supplied the Register with this statement:

We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.

We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities.

Also Titan Telecom say that the hold music is not, in fact, theirs.

Combat fraud and increase customer satisfaction

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
Google looks to LTE and Wi-Fi to help it lube YouTube tubes
Bandwidth hogger needs tube embiggenment if it's to succeed
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.