TalkTalk has confirmed that it has suffered a “significant and sustained cyber-attack.” TalkTalk has which has over 4 million customers in the UK.
While details are limited, TalkTalk has said that the hackers may have accessed its customer database – including names, addresses, date of birth, email address, telephone numbers, TalkTalk account information, credit card and/or bank details:
Jon French, security analyst of AppRiver has offered the following advice to customers that may have been affected:
“The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information. If someone calling or emailing you already has information like name, address, email address, or other account information, that doesn’t mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information like a credit card or password.”
Benjamin Harris, Managing Security Consultant of MWR InfoSecurity adds additional advice to customers, but also to organisations generally that may be targets to this type of cyber attack:
“As always when there is a concern that payment data may have been breached, consumers should pay attention to transactions made on their debit and credit cards and report any suspected fraudulent transactions to their card issuer. Being proactive will help to limit any damage caused by exposure of credit card information, however if consumers are heavily concerned about the confidentiality of their debit or credit card, it is recommended that they contact their card issuer to provision replacement cards, thus invalidating the previous credit or debit card used.
“It appears that TalkTalk have been proactive in this instance, and have done the correct things by issuing a public statement and involving the relevant authorities, allowing the attack to be investigated and thus limit any further damage.
“Incident response is a necessity for most organisations. In this case, it is important that organisations are both proactive and honest about any security breaches, and that they enlist the correct help from the outset. Identifying the attack mechanism is an important step in mitigating the risk, and pre-emptive actions (such as immediately destroying an infected machine) could lose vital evidence that would be useful in identifying the actual impact.
“Organisations should also regularly test their incident response plans. For example, logging and monitoring systems may not be regularly inspected. Realising that a log collation server has not been working for months and has not recorded information relating to a breach can be very frustrating, and these issues can be avoided with regular inspection.
Richard Cassidy, technical director EMEA, Alert Logic commented about the incident;
“This represents another serious incident from a data-breach perspective at TalkTalk; unfortunately not for the first time this year. Questions have to be raised around the point of data-at-rest security and whether organisations are indeed doing all they can to assure that customer data (whether it be credit card, banking details or personally identifiable information) is as protected as it could be in the case of a serious data breach.
We cannot continue to rely on legacy security tools and techniques in the battle against the modern day cyber criminals that are targeting our organisations on a global scale. Fundamentally it is safer to assume that we will be a target of an attack (and in many cases an advanced threat) and look at the problem from the inside out. Clearly it’s important to look at how we can better prevent data breaches and implement more effective tools to identify pre and post compromise activity, however CISO’s, CSO’s and CEO’s should take the lessons learned from the countless data breaches we’ve seen this past while and seek to answer the question on how well prepared is the organisation in the event a data-breach does occur and how can customer data be better protected should the worst happen.
Clearly there are questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after; perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place. Fundamentally organisations need to start with an intrinsic understanding the anatomy of an attack as the first line of defence. Organisations have responsibility for protecting our data and perhaps a change is needed in legislation to compensate customers who suffer a financial loss as a result of their data being compromised; all too often we see organisations defer liability when a customer suffers a financial loss at the hands of bad actor groups who used the data they stole from a successful breach to compromise the organisations customers. The vast majority of consumers are not I.T or even Security savvy, especially the older generation; it can often be incredibly hard to discern from a bogus call purporting to be your provider (using the data they’ve gleaned from a breach) and a legitimate call. It would be far better for organisations of the ilk of TalkTalk to offer up better information to consumers on how to identify how their data could be used in such campaigns and to take more responsibility in supporting customers who suffer a loss as a result.
Ultimately however it points to the need for organisations to really question their “data-at-rest” encryption standards and capabilities and more importantly the protection of the keys that are used to maintain encryption. If more focus was placed on the assumption that a data breach is highly likely to occur and as a result of this, how can losses be mitigated against should corporate or customer data be exfiltrated. The first answer quite evidently lies in how we encrypt the data we might lose and thus make any attempt at using that data a very tall order indeed for the bad actors to seek it.”