The TalkTalk breach just keeps on giving
TalkTalk today finally revealed that 157,000 customers had details stolen in the recent hack. That’s less than originally feared, but is still far from good. There is also some further information from Channel 4 about how the breach unfolded. If that story is accurate, and I have no way of verifying the details, though presumably Channel 4 will not just have taken some random person’s word on this, then it looks like it was very easy indeed to compromise the TalkTalk website, and from there get access to customer details. If you’re interested in how Google can be used to find poorly configured web servers, and potential exploits, take a look here.
Whatever the technical specifics of the actual hacking, it is clear from the arrests that have been made that this was not the work of some cyber hacking ninja APTs. Combine the simplistic nature of the attack, with the fact that TalkTalk had an outsourced security contract in place, and indeed recognised security was an issue, gives an increasingly woeful picture. TalkTalk customers have a right to feel aggrieved.
This breach shows that large organisations are still not getting cyber security right and too often spend money ineffectively. Just writing a cheque and giving it to a third party is not enough – there is no black box solution that gives security, and you should immediately show any salesman the door if they try and tell you there is. Security needs to be embedded in your organisation culture, and getting that right is not something you can do by just buying a service. This is a topic I’ll opine on further in future.
Thanks for reading. Any questions, find us on twitter, or use the contact form. Also if you liked this post why not share it on Twitter or LinkedIn using the link at the top?
Rob