TalkTalk subsidiary's customer data placed on the web in IIS whoopsie
Called TalkTalk, not ListenListen
Updated Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn't care.
The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the subsidiary which TalkTalk acquired last November.
The mistake is a classic: Microsoft's IIS - the server that comes with Windows - is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers. In this case, the documents now readily to be found on teh interwebs (and flagged up to us by an alert Reg reader) include all kinds of handy information regarding Greystone customers and what deals they've struck with the TalkTalk tentacle.
The offending Windows box isn't on TalkTalk's own network - it's hosted on the Demon Internet subnet.
"It's not one of our servers, so it's not our problem," a TalkTalk rep told us. "Our firewalls are all secure."
So as long as the company's sensitive data isn't being hosted by TalkTalk then the company has no problem with it being shared around the internet?
Given the propensity of Demon customers to hold static IPs, it seems as if this server is perhaps a contractor's home machine, a conclusion supported by the other documents knocking around the server, which include installation manuals for MS Lync and a file of "hold music" for Manchester-based Titan Telecom.
Open FTP servers are nothing new, but Google's omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them (though a glance at the traffic on the far side of any firewall shows there are still plenty of old-school hackers out there).
What's remarkable is TalkTalk's cavalier attitude to its data. Companies normally protect their customer lists and pricing information, for commercial reasons if not simply good manners, but tracking down the individual running this server is obviously too much effort for TalkTalk (though see update below).
Which is why we're not going to give specific details of this particular server: but if you're contractor, and Demon customer, who has worked for a few telecoms companies and has a liking for IIS, then best check you've unticked the box for anonymous access, just to be sure.
Mind how you go. ®
Updated to Add
Since this piece was published TalkTalk has supplied the Register with this statement:
We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.
We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities.
Also Titan Telecom say that the hold music is not, in fact, theirs.
Sponsored: Becoming a Pragmatic Security Leader