Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly

Attackers Demand Ransom Following Massive Hack on TalkTalk

Intrusion is believed to have exposed sensitive data on all four million customers of UK broadband provider.

The head of TalkTalk Telecom, one of the United Kingdom’s largest broadband providers has confirmed personally receiving a ransom demand following a hacker attack this week that may have exposed sensitive data on all four million of the company’s customers.

In an interview with the BBC Friday, TalkTalk CEO Dido Harding said someone purporting to represent the attacker or attackers responsible for the intrusion had sent her an email attempting to extort money from the company.

Harding did not offer any details on the ransom note citing an ongoing criminal investigation launched by London’s Metropolitan Police Cyber Crime Unit into the attack.

“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido told the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”

In an alert first issued Thursday, and then later updated Friday, TalkTalk disclosed that it had suffered a “significant and sustained cyber attack” on its website on Wednesday, October 21.

An investigation of the incident suggests that customer information including names, addresses, dates of birth, credit card and/or bank details and telephone numbers may have been compromised, the company said. Data from the breach was posted publicly Friday though it is not clear yet whether the dump represents the entirety of what was stolen or just a small portion of it.

If the ransom note is really from the attackers, it would indicate that either a bulk of the data has not yet been publicly released, or that the hackers accessed even more data than let on by the company so far.

TalkTalk did not say how many customers have been impacted but noted that the company will contact all those whose data was compromised by email and letter.

TalkTalk said its website was shut down Wednesday immediately following the discovery of the breach and it has been working with cyber security specialists since then to secure the site. As of noon US Eastern Time Friday, the company’s main website remained unavailable.

This is the third time this year that the publicly traded TalkTalk has been hit in a cyber attack. News of the latest incident sent its stock plummeting by more than 11 percent at one point before it recovered somewhat to close at 8.5 percent lower than where it was at close of business Thursday..

As is typical after any major attack, the TalkTalk incident has spawned considerable speculation on method, motive and the actors behind it.

The data dump posted on Friday contained a message from someone purporting to represent a cyber-jihadist group based in Russia. The data itself is believed to be from the intrusion though the true identity of the individual or group that posted it remains unclear.

In the note the group or individual responsible for the dump claimed to have used TOR, encrypted chat messages, private key mails and hacked servers to hide their tracks.

Some, like the BBC have reported that TalkTalk appears to have been hit with a massive denial of service attack though that by itself would not explain the data loss. Others, like Amichai Shulman, co-founder and CTO of security vendor Imperva think web application flaws may have played a part.  “I have reviewed some of the data around the attack and my guess would be that the attackers used a SQL injection for at least part of the attack,” Shulman said in an emailed comment.

Many have slammed TalkTalk for not protecting its data better considering that this is the third time the company has been breached just this year. One issue that has been raised is the company’s apparent failure to encrypt sensitive data in its possession despite the previous incidents. In a FAQ, TalkTalk admits that not all of its data was encrypted. What the company has not said is, if any of it was.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected,” said Andy Heather, vice president of data security at HP. “If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when.”




Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/26/2015 | 7:43:47 AM
It's astounding that at the present time, companies still fail to encrypt sensitive data. This is one of the most simplistic principles of information security and is very cost effective. This needs to be coupled with other security safeguards and methodologies. Data segmentation, toolsets, etc. If Talk Talk doesn't get their act together they will continue to be a target for attacks.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.