The head of TalkTalk Telecom, one of the United Kingdom’s largest broadband providers has confirmed personally receiving a ransom demand following a hacker attack this week that may have exposed sensitive data on all four million of the company’s customers.
In an interview with the BBC Friday, TalkTalk CEO Dido Harding said someone purporting to represent the attacker or attackers responsible for the intrusion had sent her an email attempting to extort money from the company.
Harding did not offer any details on the ransom note citing an ongoing criminal investigation launched by London’s Metropolitan Police Cyber Crime Unit into the attack.
“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido told the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”
In an alert first issued Thursday, and then later updated Friday, TalkTalk disclosed that it had suffered a “significant and sustained cyber attack” on its website on Wednesday, October 21.
An investigation of the incident suggests that customer information including names, addresses, dates of birth, credit card and/or bank details and telephone numbers may have been compromised, the company said. Data from the breach was posted publicly Friday though it is not clear yet whether the dump represents the entirety of what was stolen or just a small portion of it.
If the ransom note is really from the attackers, it would indicate that either a bulk of the data has not yet been publicly released, or that the hackers accessed even more data than let on by the company so far.
TalkTalk did not say how many customers have been impacted but noted that the company will contact all those whose data was compromised by email and letter.
TalkTalk said its website was shut down Wednesday immediately following the discovery of the breach and it has been working with cyber security specialists since then to secure the site. As of noon US Eastern Time Friday, the company’s main website remained unavailable.
This is the third time this year that the publicly traded TalkTalk has been hit in a cyber attack. News of the latest incident sent its stock plummeting by more than 11 percent at one point before it recovered somewhat to close at 8.5 percent lower than where it was at close of business Thursday..
As is typical after any major attack, the TalkTalk incident has spawned considerable speculation on method, motive and the actors behind it.
The data dump posted on Friday contained a message from someone purporting to represent a cyber-jihadist group based in Russia. The data itself is believed to be from the intrusion though the true identity of the individual or group that posted it remains unclear.
In the note the group or individual responsible for the dump claimed to have used TOR, encrypted chat messages, private key mails and hacked servers to hide their tracks.
Some, like the BBC have reported that TalkTalk appears to have been hit with a massive denial of service attack though that by itself would not explain the data loss. Others, like Amichai Shulman, co-founder and CTO of security vendor Imperva think web application flaws may have played a part. “I have reviewed some of the data around the attack and my guess would be that the attackers used a SQL injection for at least part of the attack,” Shulman said in an emailed comment.
Many have slammed TalkTalk for not protecting its data better considering that this is the third time the company has been breached just this year. One issue that has been raised is the company’s apparent failure to encrypt sensitive data in its possession despite the previous incidents. In a FAQ, TalkTalk admits that not all of its data was encrypted. What the company has not said is, if any of it was.
“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected,” said Andy Heather, vice president of data security at HP. “If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when.”