Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/23/2015
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Demand Ransom Following Massive Hack on TalkTalk

Intrusion is believed to have exposed sensitive data on all four million customers of UK broadband provider.

The head of TalkTalk Telecom, one of the United Kingdom’s largest broadband providers has confirmed personally receiving a ransom demand following a hacker attack this week that may have exposed sensitive data on all four million of the company’s customers.

In an interview with the BBC Friday, TalkTalk CEO Dido Harding said someone purporting to represent the attacker or attackers responsible for the intrusion had sent her an email attempting to extort money from the company.

Harding did not offer any details on the ransom note citing an ongoing criminal investigation launched by London’s Metropolitan Police Cyber Crime Unit into the attack.

“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido told the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”

In an alert first issued Thursday, and then later updated Friday, TalkTalk disclosed that it had suffered a “significant and sustained cyber attack” on its website on Wednesday, October 21.

An investigation of the incident suggests that customer information including names, addresses, dates of birth, credit card and/or bank details and telephone numbers may have been compromised, the company said. Data from the breach was posted publicly Friday though it is not clear yet whether the dump represents the entirety of what was stolen or just a small portion of it.

If the ransom note is really from the attackers, it would indicate that either a bulk of the data has not yet been publicly released, or that the hackers accessed even more data than let on by the company so far.

TalkTalk did not say how many customers have been impacted but noted that the company will contact all those whose data was compromised by email and letter.

TalkTalk said its website was shut down Wednesday immediately following the discovery of the breach and it has been working with cyber security specialists since then to secure the site. As of noon US Eastern Time Friday, the company’s main website remained unavailable.

This is the third time this year that the publicly traded TalkTalk has been hit in a cyber attack. News of the latest incident sent its stock plummeting by more than 11 percent at one point before it recovered somewhat to close at 8.5 percent lower than where it was at close of business Thursday..

As is typical after any major attack, the TalkTalk incident has spawned considerable speculation on method, motive and the actors behind it.

The data dump posted on Friday contained a message from someone purporting to represent a cyber-jihadist group based in Russia. The data itself is believed to be from the intrusion though the true identity of the individual or group that posted it remains unclear.

In the note the group or individual responsible for the dump claimed to have used TOR, encrypted chat messages, private key mails and hacked servers to hide their tracks.

Some, like the BBC have reported that TalkTalk appears to have been hit with a massive denial of service attack though that by itself would not explain the data loss. Others, like Amichai Shulman, co-founder and CTO of security vendor Imperva think web application flaws may have played a part.  “I have reviewed some of the data around the attack and my guess would be that the attackers used a SQL injection for at least part of the attack,” Shulman said in an emailed comment.

Many have slammed TalkTalk for not protecting its data better considering that this is the third time the company has been breached just this year. One issue that has been raised is the company’s apparent failure to encrypt sensitive data in its possession despite the previous incidents. In a FAQ, TalkTalk admits that not all of its data was encrypted. What the company has not said is, if any of it was.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected,” said Andy Heather, vice president of data security at HP. “If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when.”

  

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/26/2015 | 7:43:47 AM
Astounding
It's astounding that at the present time, companies still fail to encrypt sensitive data. This is one of the most simplistic principles of information security and is very cost effective. This needs to be coupled with other security safeguards and methodologies. Data segmentation, toolsets, etc. If Talk Talk doesn't get their act together they will continue to be a target for attacks.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.