Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/23/2015
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Demand Ransom Following Massive Hack on TalkTalk

Intrusion is believed to have exposed sensitive data on all four million customers of UK broadband provider.

The head of TalkTalk Telecom, one of the United Kingdom’s largest broadband providers has confirmed personally receiving a ransom demand following a hacker attack this week that may have exposed sensitive data on all four million of the company’s customers.

In an interview with the BBC Friday, TalkTalk CEO Dido Harding said someone purporting to represent the attacker or attackers responsible for the intrusion had sent her an email attempting to extort money from the company.

Harding did not offer any details on the ransom note citing an ongoing criminal investigation launched by London’s Metropolitan Police Cyber Crime Unit into the attack.

“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido told the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”

In an alert first issued Thursday, and then later updated Friday, TalkTalk disclosed that it had suffered a “significant and sustained cyber attack” on its website on Wednesday, October 21.

An investigation of the incident suggests that customer information including names, addresses, dates of birth, credit card and/or bank details and telephone numbers may have been compromised, the company said. Data from the breach was posted publicly Friday though it is not clear yet whether the dump represents the entirety of what was stolen or just a small portion of it.

If the ransom note is really from the attackers, it would indicate that either a bulk of the data has not yet been publicly released, or that the hackers accessed even more data than let on by the company so far.

TalkTalk did not say how many customers have been impacted but noted that the company will contact all those whose data was compromised by email and letter.

TalkTalk said its website was shut down Wednesday immediately following the discovery of the breach and it has been working with cyber security specialists since then to secure the site. As of noon US Eastern Time Friday, the company’s main website remained unavailable.

This is the third time this year that the publicly traded TalkTalk has been hit in a cyber attack. News of the latest incident sent its stock plummeting by more than 11 percent at one point before it recovered somewhat to close at 8.5 percent lower than where it was at close of business Thursday..

As is typical after any major attack, the TalkTalk incident has spawned considerable speculation on method, motive and the actors behind it.

The data dump posted on Friday contained a message from someone purporting to represent a cyber-jihadist group based in Russia. The data itself is believed to be from the intrusion though the true identity of the individual or group that posted it remains unclear.

In the note the group or individual responsible for the dump claimed to have used TOR, encrypted chat messages, private key mails and hacked servers to hide their tracks.

Some, like the BBC have reported that TalkTalk appears to have been hit with a massive denial of service attack though that by itself would not explain the data loss. Others, like Amichai Shulman, co-founder and CTO of security vendor Imperva think web application flaws may have played a part.  “I have reviewed some of the data around the attack and my guess would be that the attackers used a SQL injection for at least part of the attack,” Shulman said in an emailed comment.

Many have slammed TalkTalk for not protecting its data better considering that this is the third time the company has been breached just this year. One issue that has been raised is the company’s apparent failure to encrypt sensitive data in its possession despite the previous incidents. In a FAQ, TalkTalk admits that not all of its data was encrypted. What the company has not said is, if any of it was.

“This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected,” said Andy Heather, vice president of data security at HP. “If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when.”

  

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/26/2015 | 7:43:47 AM
Astounding
It's astounding that at the present time, companies still fail to encrypt sensitive data. This is one of the most simplistic principles of information security and is very cost effective. This needs to be coupled with other security safeguards and methodologies. Data segmentation, toolsets, etc. If Talk Talk doesn't get their act together they will continue to be a target for attacks.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...