TalkTalk hack ‘only’ affected 157,000 customers

Things at TalkTalk are bad. Real bad. But not quite as bad as first thought.

I am of course referring to the news that ‘only’ 157,000 customer records were accessed during the recent breach, not the incident management/response which was just… bad.

According to figures published by the BBC earlier today, some 156,959 customers had their personal information accessed – which is a somewhat lower figure than the 4 million or so that was suggested when news of the hack first came to light.

Not all of those customers saw their financial details exposed though – the number of bank account numbers and sort codes swiped came in at a ‘mere’ 15,656.

TalkTalk said 28,000 credit and debit card numbers stolen during the attack were essentially useless to those behind the breach as they had been “obscured” and were therefore unable to be used to initiate any type of financial transaction.

The company said anyone whose financial info had been exposed had already been contacted, and other affected customers would hear from TalkTalk in short order.

Having previously confirmed that usernames, addresses, dates of birth, email addresses and telephone numbers had been swiped, the company confirmed that around 4% of its userbase had at least some sensitive data at risk.

In addition to all the bad publicity garnered since the attack, the BBC also revealed another blow for the company, stating that TalkTalk shares had lost around a third of their value since the initial attack on 21 October.

Whether that will be a long-term concern for the leadership of the telecoms firm is debatable – I cannot find the relevant tweet right now, but Neira Jones has previously said that stock prices often bounce back quite strongly once the news of a breach starts to recede from peoples’ memories.

Whether that will be the case with TalkTalk or not remains to be seen and, in my opinion, will largely be affected by CEO Dino Harding’s performances in the coming weeks.

Meanwhile four people aged between 15 and 20 remain on police bail, having been arrested under the Computer Misuse Act.

The alleged motives of the youngsters, who of course remain innocent unless proven otherwise, are still unclear, though the Daily Mail has today had a stab at adding some flesh to one hypothesis, saying that up to 25 fun-seeking hackers had their mitts on customer data in the wake of the attack.

Citing Channel 4 News, the online paper quoted one hacker who apparently said:

It was in a Skype group call…with a lot of laughing and making fun of TalkTalk.
There was no group, it was just a few friends laughing about a company with bad security. It’s fun for us.

Responding to the program, in which one hacker claimed to have been rebuffed by an uninterested TalkTalk when explaining its security issues, a spokesman for the company gave the stock post-breach response that the company was taking the issues very seriously before adding that it was co-operating fully with police.

The spokesman then sprinkled what I would describe as a pinch of scorn on the Channel 4 report by saying “the information included in this report has not been verified and is in some respects materially inaccurate.”

Communication key as UK and US banks prepare for Operation Resilient Shield

Following on from the two Waking Shark trials conducted over the last few years, the largest UK banks are once again set to face a simulated cyber attack.

This time, they’ll be joined by some of the biggest banks in the US as the Bank of England and its American cousins unleash a mock attack, designed to test their resilience to attackers who may wish to steal data or cripple the entire financial industry.

The latest operation, dubbed Resilient Shield, was jointly announced by Prime Minister David Cameron and President Barack Obama back in January.

Commenting at the time, the White House said:

both leaders agreed to bolster efforts to enhance the cybersecurity of critical infrastructure in both countries, strengthen threat information sharing and intelligence cooperation on cyber issues, and support new educational exchanges between US and British cybersecurity scholars and researchers.

The upcoming operation will be co-ordinated by the Computer Emergency Response Team (CERT) in both countries.

One of the key aims of the operation is to test the ability of banks to not only communicate with each other during a time of crisis, but also with their respective governments. It will also assess how well the US and UK CERTs communicate with each other.

Announcement of the upcoming operation comes at a time when cyber attacks are very much in the news, at least here in the UK where we’ve seen account compromises at both TalkTalk and Vodaphone, as well as a sharp increase in the crime statistics, caused by the inclusion of online crime for the first time.

Given the cutbacks in police numbers, and the challenges faced in investigating cyber crime, the financial sector has more than a passing need to ensure that its security protocols are tested and refreshed in order to counter the ever-present threat of attack.

The nature of the information held by banks and other financial institutions is such that even a minor breach could be catastrophic for any business or individual affected.

And, given the fact that it is not just teenagers who are suspected of hacking into organisations of all sizes, but also nation states such as China and Russia, a robust and well-practised incident response plan becomes all the more important.

Meanwhile, the Bank of England is continuing to check in with insurers amid fears that the insurance market is also becoming a key target for hackers.

After the Bank released its Financial Stability Report in July, governor Mark Carney said the “adaptive nature of the threat means that ways of managing the risk must continually evolve” and called for resilience to be “regularly assessed.”

The Bank’s Financial Policy Committee (FPC) has recently recommended widening the scope of exercises such as Resilient Shield to encompass an increasing number of major firms, including those in the insurance sector.

According to a recent report by PwC, insurers themselves appear to be increasingly concerned about their attractiveness to attackers due to the nature of the personal data they hold and the fact that heavily rely upon cloud storage systems.

Majority Of Data Breach Incidents Not Reported To ICO

According to ViaSat UK, a specialist security and communications company, the number of breaches of the Data Protection Act reported to the Information Commissioner’s Office only represent a tiny proportion of the actual such incidents occurring across the UK.

I can’t say that I’m in the least bit surprised by that.

Data pulled from Freedom of Information (FOI) requests showed there were at least 13,000 thefts (a figure obtained from just 18 of the UK’s police forces) of devices potentially containing sensitive business data between March 2014 and March 2015.

Interestingly, however, the ICO was only informed of 1,089 breaches, meaning potentially thousands of cases went unreported.

Lock them up and throw away the key?

Nah, can’t do that – the Data Protection Act, as things stand, has no provision for dealing with the non-reporting of breaches, meaning we have no way of knowing what may or may not have been stolen, how many people may have been impacted or what, if any, action was taken after the devices were stolen.

Chris McIntosh, CEO, ViaSat UK, said:

We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.

ViaSat noted that the vast majority of the breaches that were reported to the ICO were made by public sector organisations – primarily the healthcare sector (431) and local government (129) – and very few came from the private business arena.

While statistics can tell you everything – or nothing at all – there is a suspicion that the small number of reported breaches in the private sector could signify that it is seriously under reporting the number it encounters.

McIntosh continued:

It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence [are you listening Mr Cameron?] that none of the 13,000-plus stolen devices represent a threat.

Earlier this week we saw another Freedom of Information request, this time by Egress directly to the Information Commissioner’s Office, which revealed how the number of Data Protection Act breach investigations in the banking industry had risen by 183% over the last two years. Just out of interest, a FOI  request made by Egress in November 2014 showed 93% of all breaches across all sectors were caused by human error – food for thought, eh?

So, what is the solution?

McIntosh said:

The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.

Compulsory reporting, eh? What do you think? Do we need a strict and enforced policy of potential breach reporting or does the answer lie elsewhere?

Given the high levels of human fallibility that often go hand in hand with breaches I’d suggest that legal frameworks aren’t the only answer and that, in fact, businesses should be far more concerned about preventing breaches than dealing with the aftermath when one does occur (though it does of course go without saying that an incident response plan and a compliance with industry regs and legislation are essential).

Fight for Kisses – Lessons for Infosec

A friend emailed me a link to the video below.  It is a very amusing advert for a gents shaving product highlighting how babies can monopolise their mother’s affections, to the cost of the father.
Of course being in information security I could not help look at the video from the infosec viewpoint and it made me think how companies can often be like the father in the video. 

  • Just like the father who thought he was the centre of his partner’s world, companies often become lax in their security thinking everything is fine and that “it won’t happen to them”.  
  • Often the event that “won’t happen to them” materialises from a trusted insider.
  • It can take time to respond effectively to an incident.
  • Sometimes to deal with the threat you are facing you have to look for new and innovative means.  Often the solution may also be something simple.
  • You cannot become complacent as the threat may materialise again and this time it may be different, stronger or more effective.

More Details of Heartland's Breach Emerge

More details available as to how the breach occurred at Heartland resulting in potentialy the biggest breach ever of nearly 100m credit card transactions.  Investigators discovered that a piece of malware was hillden in an unallocated portion of disk on one of the Heartland servers

What puzzles me though is;

  • How did a user have the rights to install the malware on the system? Was it an administrator that was duped into loading the malware?
  • Why did the monitoring of the logs on the servers not detect any strange behaviour?
  • Where was the pilfered data being sent to?  If external to Heartlands network surely egress filtering or monitoring of outgoing traffic would have flagged the suspicious behaviour?

The CEO of Heartlands has also said that if other payment processors who had previously suffered breaches had shared their experiences then maybe Heartland would have been better prepared to prevent this type of attack.  It will be interesting to see if he live up to his own statement and publishes details of this attack so others can learn from it.

Do take the time to read the article as it is a fascinating read into how the breach occurred.

Plane Security


At this stage you no doubt have heard about the miraculous emergency landing of the US Airways Flight 1549 in New York’s Hudson river.  Thanks to the skill, experience and bravery of the pilot and the crew, all 155 people on board managed to get out of the plane safely with relatively few injuries. 

So what has this got to do with Information Security I hear you ask?  As the story was breaking and I read the updates on the web and watched breaking news coverage on various TV channels, I was taken aback at how the pilot managed to do such a fantastic job.  I then started to think that if we in the Information Security industry adopted the disciplines used in the aviation industry would we would more secure systems?

When you look at is closely you can see that there are many similarities between both the Information Security and the aviation industries;

  • Both are high tech by their nature.
  • The users of each industry understand very little of how the technology works, they just want it to do what it is supposed to do without putting them in danger.
  • While both industries use automation extensively, they still rely heavily on human intervention and guidance to ensure everything works as it should.
  • When there is a failure it can have significant impact.  Although aviation failures are by their nature more serious as they can result in human casualties.
  • Both industries attract a high number of ex-military personnel.  The pilot of Flight 1549 is an ex-fighter pilot and you cannot go to an information security conference without coming across ex-military or law enforcement personnel.

But yet with all these similarities, within Information Security we tend to see a much higher failure rate.  So I began to think why this should be.  The answer is really quite simple, discipline. 

The aviation industry appears to me to be much more disciplined in every aspect.  Within Information Security we have the mantra that security is successful only if the blessed trinity of People, Process and Technology are properly integrated.  So lets take a closer look at each of the elements in that trinity.


Aeroplanes themselves are highly designed with a lot of fail safe systems put into them.  Not only that but they are regularly and rigorously maintained in line with recognised good practises.  New models of airplanes are not rushed off the production line with known issues outstanding.  Would you get on a plane that was pre-Service Pack 1? 

Yet within IT we push new applications and systems into production environments without them being adequately tested and in many cases knowing that there are bugs in the systems.  The recent SANS/MITRE list of Top 25 Most Dangerous Programming Errors highlights this approach.

Airplanes are maintained on a very regular basis during which the whole plane undergoes stringent safety testing.  Changes to an airplane have to be made in accordance with regulations and strict safety guidelines.  Contrast that to how IT systems are maintained or indeed how changes to the IT environment are managed.  Change Management has one of the biggest return for your money when it comes to ensuring the availability and security of your systems, yet very few organisations seem to do this properly If at all.


Every member of the crew of an airplane must undergo strict training regimes before they are allowed onboard.  That training has to be regularly updated and retested.  What is more, the training is specific to the task that each crew member does.  A flight attendant for example is not qualified to fly a plane; pilots have to be specifically trained on the type of plane they will be flying and gain hours of flight experience before they are allowed to take to the skies.

Yet within IT we do not have the same rigueur when it comes to those in charge of our critical systems.  It is not uncommon for people to be in charge of systems that they have not received any formal training on, or indeed to be working (read that as winging it) with one vendor’s technology having been trained on that of a completely different vendor.

Each plane crew member is also trained in how to react in an emergency and can do so in an efficient and professional manner.  Captain Chesley Sullenberger had the training and experience to react to the emergency on the plane and land it in the Hudson, whereby his crew had the training to safely evacuate the passengers.  Captain Sullenberger then checked the plane twice himself to check it was clear of passengers and crew before getting off himself.

With regards to information security, many organisations do not have an incident response plan that is properly documented,  regularly tested and with all staff properly trained in what they should do in the event of an incident.  Too many times responses to incidents are haphazard without any clear plan or roles and responsibilities identified.  If your company were to suffer as catastrophic event as that experienced by Fight 1549 would your team have the processes, procedures and training to ensure the event had as minimal impact on your systems?

When looking at the users of both industries it appears to me that the aviation industry once again pips information security when it comes to security awareness.  Most passengers are aware of what they are allowed to bring onto an airplane and will dutifully herd themselves like sheep as they wind their way past airport security to display their transparent plastic bag of small liquid containers.  Passengers also know not to let others take their baggage or bring someone else’s bags onto the plane.  In addition, every time a passenger gets on an airplane they are subjected to compulsory security awareness, i.e. flight safety, lecture, which in turn is backed up by easy to understand awareness material located in each seat.

Ever since the events of 9/11, passengers are more likely to report suspicious behaviour of a fellow passenger in case they are a terrorist and indeed will probably tackle someone who is behaving outside the acceptable norms. 

Contrast the passenger to the average IT user.  How often do your IT users get regular security awareness lectures?  How clear are your policies and procedures that people should follow?  Are they as easily understood as the not taking liquids onto a plane rule or the airline safety leaflet?  What are you doing to ensure users know not to click on attachments or links in emails or insert that USB or CD they found into their computer?  How confident are you that your users know not to share their login details with others or how to recognise suspicious behaviour that may indicate their systems are infected or hacked.


Before take-off every person connected with preparing the plane before, during and after the flight has to complete a set of predefined checklists.  The ground crew ensure the plane is properly set up, the pilot logs his flight plan, checks his instruments and the plane, while the cabin crew ensures all equipment within the cabin is functioning as it should.  Everybody has to go through these checklists before the plane is allowed to take off.  Once the plane is in the air the systems are continuously monitored with everything recorded and logged to the airplane’s flight recorder, commonly known as the Black Box.  On the ground the airplane is also constantly monitored by air traffic control to ensure it reaches its destination safely.

Although the airline industry is very high tech, it still relies heavily on humans to check and double check everything to minimise the risk of anything going wrong.  It seems to me that the airline industry views technology as merely the tools of the trade but it is the human element that ensures everything runs smoothly.

The information security industry is also high tech but seems to rely much more on the technology element and overlooks the human.  Shinier tools and vendor promises of silver bullet technology seem to be what we rely on.  Checklists and formal procedures are more the exception than the norm. 

Another area we are very weak on in the information security area is monitoring.  During a flight an airplane is constantly monitored, both by the onboard crew and air traffic control.  Feedback from these systems is taken into account and adjustments made where necessary.  Monitoring within the information security world is yet another area that many of us do not utilise properly.  While we have excellent logging facilities available in our systems to record everything that happens in our environments they are very rarely turned on, and if they are, it always appears that we do not record the right information we need.  Key metrics to help the business and management make necessary decisions are not measured.  System logs are not properly monitored to create alerts in the event of suspicious activity being detected.  How often have we seen IDS systems implemented and then turned off because of lack of proper configuration?  How often do we hear about breaches that have occurred where if the affected company had been monitoring their systems properly they would have detected the attack much earlier?

Time for Some Discipline

It has taken the airline industry a long time to get to where it is today.  Many hard lessons had to be learned from serious disasters to ensure they would not happen again.  But thanks to those efforts air travel is now the safest form of travel.  To get to this level required discipline, and lots of it.  So I think it is time that we as a profession and an industry raise the bar and instil a lot more discipline into how we do things.

We need to ensure that everyone, from developers, to infrastructure management, to information security professionals, to senior management and of course the users are more disciplined in what we do and how we approach protecting our data.  By disciplining ourselves to do some of the basic chores there are many quick wins that we can put in place that will raise the bar. 

  • Discipline yourself to review the checklists that you currently have and ensure that they cover all the key elements that should be checked daily, weekly, monthly, quarterly and yearly.  Once you have those checklists in place make sure the discipline is there to ensure they are completed when they should. 
  • With regards to information security policies you need to have the discipline to regularly review them, constantly monitor compliance with the policies and to deal with any non-compliance in a fair and consistent manner. 
  • Developers should have the discipline in place to check their code for common coding errors that could lead a security breach by reviewing the excellent information provided by OWASP and SANS. 
  • You should ensure that those managing the network infrastructure are disciplined enough to regularly monitor key systems and ensure that everything is patched and configured in a secure manner.
  • Instill the discipline in your organisation to develop and implement, or review existing, change management and incident response processes and procedures.  Once these are in place make sure the discipline is there to regular review and test them to ensure they operate as should and always look for ways to improve.

Discipline is a small word but if used correctly you can become a Captain Chesley Sullenberger of information security.

Estonian Government Releases Cyber Strategy Paper

The Estonian Government has released a strategy paperon enhancing cyber security.  This is an interesting read as we can all learn from the lessons of the cyber attacks against Estonia last year.  The report makes for interesting reading and yet it is still sad to see that governments and many organisations only take computer security seriously after they have suffered a major attack.

Do you think this paper would have seen the light of day had Estonia not been a victim to a major Distributed Denial of Service attack last year?  I also wonder how many government officials here in Ireland are working on a similar paper to defend the Irish Internet space?

A Tale from the Estonian CyberWar

Last year Estonia fell foul to a major DDOS attack that crippled many of that countries Internet infrastructure impacting on online banking, government and media websites.  I posted about this particular attack in the post “Botnets – Digital Weapons of Mass Destruction?”  Gadi Evron, who was involved in helping Estonia defend against these attacks has published an article on the attacks.  Entitled “Battling Botnets and Online Mobs – Estonia’s Defense Efforts during the Internet War” the article gives a good background into why the attacks happened, the impact they had on Estonia and also how Estonia defended against the attacks. 

The Estonian CERT comes into focus a lot as their efforts ensured the attacks were dealt with as effectively as possible.  The key to their success was the ability to work with other CERTs, such as those in Germany, Finland and Slovenia. 

Reading the article I could not help wonder how would we as a country fare if we were to be victims of a mass cyber attack on the scale that happened against Estonia?  We do not have a CERT team to help coordinate any responses either nationally or internationally.  I have spoken on this issue many times in the past and feel quite strongly that a CERT is fast becoming a necessity for us to have in order to ensure our growth as a knowledge economy and to protect our Internet infrastructure.

Gadi’s article makes for an interesting non-technical read.  While reading it though think how would Ireland cope with a similar attack and let me know how you think we would fare.

Protecting Your Online Reputation

An interesting series of posts on how to deal with negative publicity from the online community has just started today on Damien’s Blog.  Today’s post offers an interesting insight into how to deal with negative postings about your company from bloggers.  While focused on the customer service side of things regarding this issue, I think the points outlined by Damien are relevant to how we protect the reputation of our organisations.  After all reputation risk is something that we should factor into our thinking and our risk management plans.  The post also points out some useful ways to monitor your reputation online.


Lessons Learnt from the IBTS Information Security Incident

lessons1.gifAs discussed last month The Irish Blood Transfusion Board suffered a security incident whereby a CD containing encrypted information on blood donors was stolen in New York City.  This was the first major publicly reported data loss incident that we have seen in Ireland.  As promised in earlier posts, now that the dust has settled I would like to highlight some of the key lessons learnt from this incident.  Hopefully these lessons can be applied to your own situation to ensure that your next incident can be handled well.

Lesson 1 – Know Where Your Data Is.
Careful thought went into the process of sending the CD to New York in the first place and it was evident that the IBTS clearly knew what data was on the lost CD and who it impacted.  When the CD was lost the IBTS knew exactly the potential impact of the loss.

If you do not know where your data are then you will spend a lot of time in your incident handling trying to determine what the impact of the incident is.  Time better spent dealing with the actual incident itself.  Remember that in an incident time can be your biggest enemy and it is a very finite resource so spend it wisely.

Continue reading