Here's how TalkTalk ducked and dived over THAT gigantic hack

Spin still strong, two weeks on

Encryption? Oh yes, of course

When Harding admitted TalkTalk may have not encrypted its customers' bank details, it was as a claim made to soothe customers by claiming that the information which had been stolen was "incomplete".

24/10/2015: We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account.

This raised concerns about TalkTalk's security, in particular regarding its means for secure storage. The minor obfuscation of credit card detail digits may not completely reduce TalkTalk customers' exposure to phishing emails or identity theft scams. Harding confirmed her lack of concern over this detail in an interview with the Sunday Times.

25/10/2015: It wasn't encrypted, nor are you legally required to encrypt it ... We have complied with all of our legal obligations in terms of storing of financial information.

TalkTalk's claims that it was not under a legal obligation to encrypt users' data may be correct, dependent upon interpretation of the Data Protection Act 1998's Principle 7, which states:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Establishing what security measures may be considered "appropriate" will be key to TalkTalk's attempts to claim it has not negligently breached the DPA.

The telco has so far absolved itself of responsibility, despite Harding issuing a soft "Sorry" during her BBC interview. TalkTalk's site denies a breach of the DPA, noting "This is a criminal attack. We have notified the [Information Commissioner's Office (ICO)] and we will work closely with them over the coming weeks and months."

The ICO was notified on Thursday evening, at the same time that TalkTalk went public.

Youtube Video

Harding provided a video statement at 1pm on Monday 26 October, although she offered no new details about the attack, nor did she explain what information had been stolen and/or used by the criminals to target TalkTalk customers.

26/10/2015: The number of customers affected and the amount of data potentially stolen is smaller than originally feared.

Contradicting her own claim on the 25th, that customers' data "wasn't encrypted, nor are you legally required to encrypt it," Harding added:

25/10/2015: We don't store unencrypted data on our site, any credit card info which may have been stolen has the six middle digits blanked out and can't be used for financial transactions.

Partially obscured credit card details would not provide the protection against fraudsters that encrypted information would have. Victims who are contacted on the phone may be offered partial information as part of a confidence trick, with the six redacted digits subsequently requested from them as a means of the victim proving their identity.

Harding added:

No My Account passwords have been stolen.

No banking details have been taken that you wouldn't already be sharing when you write a cheque or give to someone so they can pay money into your account.

Following the arrest of a 15-year-old boy last Monday, the company paraded its victimhood, bemoaning the fact that "cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent."

At this point, the CEO began to loosen up about TalkTalk's approach to customers wishing to cancel contracts with the data-spaffing telco, where the company's previous policy was to firmly refuse to allow customers to leave without paying a termination fee, despite TalkTalk having lost their information.

Harding, an avid vlogging enthusiast, delivered another piece to camera, which has since been deleted (but is preserved on WebArchive), with this suggestion:

26/10/2015: In the unlikely event that money is stolen from a customer’s bank account as a direct result of the cyber-attack (rather than as a result of any other information given out by a customer) then as a gesture of goodwill, on a case by case basis, we will waive termination fees.

Additional information provided by TalkTalk suggested there are three requirements before current customers will be allowed to cancel their contracts.

  • You have had money taken from your account without your consent and you have incurred a financial loss as as result.
  • The money was taken on or after the 21st October 2015.
  • You have contacted Action Fraud and obtained a Crime Reference Number.

TalkTalk additionally accepted no liability for other possible expenses customers may incur as a result of the breach.

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017