Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/23/2015
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Demand Ransom Following Massive Hack on TalkTalk

Intrusion is believed to have exposed sensitive data on all four million customers of UK broadband provider.

The head of TalkTalk Telecom, one of the United Kingdom’s largest broadband providers has confirmed personally receiving a ransom demand following a hacker attack this week that may have exposed sensitive data on all four million of the company’s customers.

In an interview with the BBC Friday, TalkTalk CEO Dido Harding said someone purporting to represent the attacker or attackers responsible for the intrusion had sent her an email attempting to extort money from the company.

Harding did not offer any details on the ransom note citing an ongoing criminal investigation launched by London’s Metropolitan Police Cyber Crime Unit into the attack.

“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido told the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”

In an alert first issued Thursday, and then later updated Friday, TalkTalk disclosed that it had suffered a “significant and sustained cyber attack” on its website on Wednesday, October 21.

An investigation of the incident suggests that customer information including names, addresses, dates of birth, credit card and/or bank details and telephone numbers may have been compromised, the company said. Data from the breach was posted publicly Friday though it is not clear yet whether the dump represents the entirety of what was stolen or just a small portion of it.

If the ransom note is really from the attackers, it would indicate that either a bulk of the data has not yet been publicly released, or that the hackers accessed even more data than let on by the company so far.

TalkTalk did not say how many customers have been impacted but noted that the company will contact all those whose data was compromised by email and letter.

TalkTalk said its website was shut down Wednesday immediately following the discovery of the breach and it has been working with cyber security specialists since then to secure the site. As of noon US Eastern Time Friday, the company’s main website remained unavailable.

This is the third time this year that the publicly traded TalkTalk has been hit in a cyber attack. News of the latest incident sent its stock plummeting by more than 11 percent at one point before it recovered somewhat to close at 8.5 percent lower than where it was at close of business Thursday..

As is typical after any major attack, the TalkTalk incident has spawned considerable speculation on method, motive and the actors behind it.

The data dump posted on Friday contained a message from someone purporting to represent a cyber-jihadist group based in Russia. The data itself is believed to be from the intrusion though the true identity of the individual or group that posted it remains unclear.

In the note the group or individual responsible for the dump claimed to have used TOR, encrypted chat messages, private key mails and hacked servers to hide their tracks.

Some, like the BBC have reported that TalkTalk appears to have been hit with a massive denial of service attack though that by itself would not explain the data loss. Others, like Amichai Shulman, co-founder and CTO of security vendor Imperva think web application flaws may have played a part.  “I have reviewed some of the data around the attack and my guess would be that the attackers used a SQL injection for at least part of the attack,” Shulman said in an emailed comment.

Many have slammed TalkTalk for not protecting its data better considering that this is the third time the company has been breached just this year. One issue that has been raised is the company’s apparent failure to encrypt sensitive data in its possession despite the previous incidents. In a FAQ, TalkTalk admits that not all of its data was encrypted. What the company has not said is, if any of it was.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected,” said Andy Heather, vice president of data security at HP. “If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when.”

  

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/26/2015 | 7:43:47 AM
Astounding
It's astounding that at the present time, companies still fail to encrypt sensitive data. This is one of the most simplistic principles of information security and is very cost effective. This needs to be coupled with other security safeguards and methodologies. Data segmentation, toolsets, etc. If Talk Talk doesn't get their act together they will continue to be a target for attacks.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15279
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to 6.6.23.320 allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
CVE-2021-3423
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."