Late last night, quad-play provider TalkTalk issued an urgent statement alerting customers that its website had been hacked. Following a "significant and sustained cyberattack," the company warned that names, addresses, account information and credit card/bank information may have been stolen. Subscribers have been told that they may be contacted by nefarious third-parties asking for personal information and to look out for any irregular activity on their online accounts. It's worrying when something like this happens once, but for TalkTalk, this is the second big data scare in a year.
In February, the company revealed that attackers had accessed names, addresses, phone numbers and TalkTalk account numbers at the tail end of 2014. It confirmed a number of cases where scammers were using stolen data to extract more sensitive information like bank account and credit card numbers from affected customers (otherwise known as a phishing attack). The company said it took "urgent and serious steps" to secure its systems and reassure customers, but more than 100 customers were contacted by callers quoting their personal details in the wake of the attack.
Who did it?
In a message posted to code-sharing website Pastebin, a group claiming to be behind the attack shared some of the data it said it had appropriated. In these messages lie customer records that display names, emails and also passwords. One particular file suggests that when some users changed their password via the TalkTalk website, the new value was stored in plaintext -- meaning it may not have been secured in any way. TalkTalk admits on its website that "not all of the data was encrypted," and that appears to cover sensitive data like passwords and possibly even credit card and bank details.
Normally, secure websites will salt and hash sensitive user information. Instead of storing a password like 'QWERTY,' they'll generate a representation of it instead. This is either a long random number or a string of unique letters and numbers. When a user logs into a website that utilises hashes, the system will take their password, convert it into a hash and then match it to the hashed value stored in the database. It means that if records are then stolen, information like passwords aren't immediately viewable. This method isn't 100 percent foolproof, though, as algorithms can still be cracked if an attacker has a lot of time and the right tools available to them.
How was the data stolen?
Looking at the unverified data dump, we ascertained that TalkTalk stored customer information in SQL databases. SQL is a very common online database structure and its popularity means that installations have become targets. Reports suggest that TalkTalk was subjected to a distributed denial-of-service (DDoS) attack that enabled the attackers to utilise SQL injection techniques. SQL injection allows an attacker to feed commands to a database (that shouldn't normally be accessible) via a poorly-designed website form or input box.
Now seems TalkTalk attack was DDoS followed by SQL injection - one expert tells me it's "disappointing" they fell victim to this technique— Rory Cellan-Jones (@ruskin147) October 23, 2015
A DDoS attack can certainly put pressure on a website, but it's highly likely that it was used as a diversionary tactic while the attackers focused their attention on TalkTalk's databases.
Following the original announcement, TalkTalk CEO Dido Harding said she personally received a ransom demand from a person claiming to be behind the attack. She told the BBC: "Yes, we have been contacted by - I don't know whether it's an individual or a group purporting to be the hacker. I personally received a contact from someone purporting - as I say, I don't know whether they are or are not - to be the hacker, looking for money."
If you're a TalkTalk customer and are wondering what you should do to stay safe, here are some easy steps to follow. First, you may receive phone calls from someone purporting to be a company representative, who may ask you to provide sensitive information. If this is the case, attempt to verify the caller by asking for a reference and a company number to call back on. The same advice can be used for emails, which might appear genuine but contain shady links to phishing sites. Lastly, change your login for the sites that you may have used the same password on.
What happens now?
TalkTalk says it detected the attack on October 21st and that the Metropolitan Police Cyber Crime Unit launched an investigation into the hack the following day. The company has taken its account sections offline while it attempts to identify the scope of the data breach.
It's also attempting to reassure customers that it takes its data-keeping duties seriously: "We constantly review and update our systems to make sure they're as secure as possible and we're taking all the necessary steps to understand this incident and to protect them as best we can against similar attacks in future."
When we contacted TalkTalk to ask why sensitive data wasn't encrypted by default, representatives were unable to provide us with an answer. Also, the legitimacy of the data dump in still in question. Should it turn out to be consistent, TalkTalk will face even more scrutiny for its lack of care over important customer data.
[Image Credit: Andrew Milligan/PA ARCHIVE IMAGES]