Feeds

TalkTalk subsidiary's customer data placed on the web in IIS whoopsie

Called TalkTalk, not ListenListen

Top 5 reasons to deploy VMware with Tegile

Updated Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care.

The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the subsidiary which TalkTalk acquired last November.

The mistake is a classic: Microsoft's IIS - the server that comes with Windows - is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers. In this case, the documents now readily to be found on teh interwebs (and flagged up to us by an alert Reg reader) include all kinds of handy information regarding Greystone customers and what deals they've struck with the TalkTalk tentacle.

The offending Windows box isn't on TalkTalk's own network - it's hosted on the Demon Internet subnet.

"It's not one of our servers, so it's not our problem," a TalkTalk rep told us. "Our firewalls are all secure."

So as long as the company's sensitive data isn't being hosted by TalkTalk then the company has no problem with it being shared around the internet?

Given the propensity of Demon customers to hold static IPs, it seems as if this server is perhaps a contractor's home machine, a conclusion supported by the other documents knocking around the server, which include installation manuals for MS Lync and a file of "hold music" for Manchester-based Titan Telecom.

Open FTP servers are nothing new, but Google's omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them (though a glance at the traffic on the far side of any firewall shows there are still plenty of old-school hackers out there).

What's remarkable is TalkTalk's cavalier attitude to its data. Companies normally protect their customer lists and pricing information, for commercial reasons if not simply good manners, but tracking down the individual running this server is obviously too much effort for TalkTalk (though see update below).

Which is why we're not going to give specific details of this particular server: but if you're contractor, and Demon customer, who has worked for a few telecoms companies and has a liking for IIS, then best check you've unticked the box for anonymous access, just to be sure.

Mind how you go. ®

Updated to Add

Since this piece was published TalkTalk has supplied the Register with this statement:

We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.

We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities.

Also Titan Telecom say that the hold music is not, in fact, theirs.

Choosing a cloud hosting partner with confidence

More from The Register

next story
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.