by Bob | Oct 6, 2016 | Views
Yesterday (October 5th) saw two interesting news reports, one made headlines, the other didn’t. The first report was the fine of £400,000 imposed on Talk Talk following their data breach last October, we first reported on it here. The fine, the largest imposed by the Information Commissioners Office (ICO) was slightly less than the maximum that they could have levied, and is small change compared to the £42million – and the loss of 101,000 customers – that Talk Talk admit that the breach has so far cost them. The ICO’s full announcement is here and states that name and address, telephone number and email addresses of 156,656 Talk Talk customers were accessed. Also that some 10% of those customer details included bank sort codes and account numbers. The stolen data was stored on a database of customers that joined Talk Talk when, in 2009, it acquired the UK operations of Tiscali. The data was accessed by using the relatively simple technique of SQL Injection into a web page. Talk Talk had already suffered two similar cyber attacks in 2015 that should have highlighted system vulnerabilities. The Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” While it was initially thought that the data breach had been committed by cyber terrorists, six people – all under 21 – have been...
by Bob | Nov 11, 2015 | Views
Now we know the size, scope and costs of the October data breach Now that the dust has settled over October’s Data Breach at Talk Talk we now have ‘the facts’. Contrary to initial reports, it now transpires that the breach was not, as first reported, instigated by cyber-terrorists, but by a bunch of disaffected teenagers. I’m not sure which prospect is more disconcerting. The facts as now reported are that the ‘significant and sustained‘ breach compromised the details of nearly 157,000 customers and 15,600 bank sort codes and account numbers. 28,000 credit card numbers were leaked, but these had been obscured and thus could not be used for payment transactions; they could, however, be used by spammers to add credibility when making calls to Talk Talk customers. Given that personal data was compromised, and that it’s not the first time that Talk Talk have been hacked, it’s likely that they will be penalised by the Information Commissioners Office. It’s now likely that 2015 will be seen as the year of the data breach; Theresa May, the Home Secretary, recently told Parliament that “90% of large organisations suffering an information security breach last year“. We help businesses to reduce their exposure by ensuring that payment card data never enters their data environment and, in simple terms, even if your company suffers a data breach, then your customers’ payment card data can’t and won’t be compromised. Give us a call, let’s see how we can help...
by Bob | Oct 23, 2015 | Uncategorised
Once again, a major data breach has hit the headlines, this time it’s Talk Talk. The company claims that ‘there is a chance that… Credit card details and/or bank details’ of up to 4 million customers may be compromised in a ‘significant and sustained cyber-attack’. I wrote here back in July that cyber terrorists were an emerging threat, and the Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4’s Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks. He said that hackers claiming to be a cyber-jihadi group had posted data that appeared to be private information from TalkTalk customers’ private information – although he stressed their claim was yet to be verified or investigated. As Daniel Dresner a Lecturer in Information and cyber security and governance at Manchester University’s School of Computer Science observed on BBC ‘Breakfast’ on October 23rd – “There’s four million customers, if they (the hackers) do four million one pound transactions, that’s not a bad haul.” Stephen Orfei the General Manager of the PCI Security Standards Council observed at the PCI Congress in Berlin in 2014 that payment card fraud was like a water filled balloon, you squeeze one place and it appears someplace else. And we all know that Chip & Pin has, since its introduction in 2004, greatly reduced ‘Customer Present’ fraud in the UK. As Stephen Orfei observed the crime isn’t going away, and why steal a single credit card when you can potentially harvest four million? What does this mean to your business? While we acknowledge that the...
