Bluebox Broadband Breached – 3,000 customers see details published online

The dust hasn’t even settled on the TalkTalk breach and we are already seeing another TelCo compromised, this time in the form of Bluebox Broadband.

According to the BBC, the Northern Irish company was hacked into sometime before Thursday of last week and names, email addresses and phone numbers – but no financial details – were published on an unknown forum from which they have now apparently been removed.

The Police Service of Northern Ireland’s cyber-crime unit was promptly informed.

Scott McClelland, the firm’s managing director, said the personal data had been swiped from a server used to record online interest in Bluebox’s services, despite the fact that the company reportedly has strict data protection policies in place.

Whether that is correct or not will soon become apparent as the Information Commissioner’s Office has been made aware of the incident and is currently ‘making inquiries’.

Talking to the Beeb, McClelland, who said the firm became aware of the breach on Friday, added that:

At Bluebox we have always taken security very seriously and this incident is the first time anything like this has ever occurred in the 10 years since we began providing internet services.

While no significant customer information has been exposed, we will be working with independent experts to learn lessons and take all steps necessary to prevent anything like this happening in the future.

Bluebox says it has contacted all affected customers and apologised.

Hopefully it has also offered them some helpful advice, such as changing their passwords and ensuring they are not using the same login details for any other online accounts they may have (sadly, that does happen, and all too often).

And, while the limited amount of data that has been leaked is unlikely to pose any direct risks to Bluebox customers – it isn’t enough to commit identity theft, for instance – it may be sufficient to create targeted phishing emails, so I would advise anyone affected to be on their guard in the near future, and to think very carefully before clicking on any links that appear to be from the company.

Equally, I would also advise you to be on your guard against phone calls purporting to come from Bluebox – if you have any doubts as to the identity of the caller do not be afraid to hang up and then call the company back on an official phone number taken from a statement (preferably using a different phone as their are some scams in which a caller can stay on the line, long after you hang up).

It is currently unknown who perpetrated this attack but, given the events surrounding TalkTalk, I would not be surprised if it was carried out by one or more younger people.


As for Bluebox, let’s hope its incident response plan is a little more… effective… than that demonstrated by TalkTalk – I don’t think Twitter could handle another Dido Harding episode!

Kids play as toy maker Vtech gets hacked

Just a few short weeks after mere children hacked TalkTalk – allegedly – and its the kids turn to be hacked.

Or a firm that caters to youngsters at any rate.

In a statement released late yesterday, Chinese toy and gadget company Vtech revealed how an unauthorised visitor accessed data stored in its Learning Lodge app store database on 14 November.

The Learning Lodge is a resource centre from which customers can download apps, ebooks, learning games and other educational content to be used with their Vtech products.

Oh, and it also stores names, physical addresses, email addresses, encrypted (no mention of whether that means hashed and salted) passwords, secret questions and answers (guess the previous observation is moot then) used to reset forgotten passwords, IP addresses and download histories.

Nice segregation of data there, eh?

There’s no word on how many customers have been affected but Motherboard suggests it could be north of 5 million parents and 200,000 children.


The only silver lining I can see right now is the fact that, according to Vtech, no credit card data has been compromised.


Motherboard says exposed child data is not that extensive – first name, gender and birthdays only – but by combining the parental data, it was quite possible to match each up with their parents, thus allowing full identification.

Even though the breach took place almost 2 weeks ago, the company was not aware of it until Motherboard approached it for comment, saying:

On November 14 [Hong Kong Time] an unauthorized party accessed VTech customer data on our Learning Lodge app store customer database. We were not aware of this unauthorized access until you alerted us.

And that, in my opinion, is pretty damning, given the fact that Troy Hunt’s HaveIBeenPwned lists this breach as the 4th largest ever consumer data breach.

Vtech breached

Vtech, which strangely says it is “committed to protecting our customer information and their privacy” had this to say about the attack:

Upon discovering the unauthorized access we immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks.

Meanwhile, the alleged attacker behind the breach told Motherboard that he had no plans to release the data which he says was acquired through… SQL injection.

One of those two statements is shocking – I’ll let you decide which one is the bigger surprise!

Hopefully, the fact that two major firms have apparently been breached via an ancient attack vector will be a wake-up call to, well, everyone else – if someone can gain access to your customers’ personal information via SQL injection, something is very, very wrong with your security setup!

TalkTalk hack ‘only’ affected 157,000 customers

Things at TalkTalk are bad. Real bad. But not quite as bad as first thought.

I am of course referring to the news that ‘only’ 157,000 customer records were accessed during the recent breach, not the incident management/response which was just… bad.

According to figures published by the BBC earlier today, some 156,959 customers had their personal information accessed – which is a somewhat lower figure than the 4 million or so that was suggested when news of the hack first came to light.

Not all of those customers saw their financial details exposed though – the number of bank account numbers and sort codes swiped came in at a ‘mere’ 15,656.

TalkTalk said 28,000 credit and debit card numbers stolen during the attack were essentially useless to those behind the breach as they had been “obscured” and were therefore unable to be used to initiate any type of financial transaction.

The company said anyone whose financial info had been exposed had already been contacted, and other affected customers would hear from TalkTalk in short order.

Having previously confirmed that usernames, addresses, dates of birth, email addresses and telephone numbers had been swiped, the company confirmed that around 4% of its userbase had at least some sensitive data at risk.

In addition to all the bad publicity garnered since the attack, the BBC also revealed another blow for the company, stating that TalkTalk shares had lost around a third of their value since the initial attack on 21 October.

Whether that will be a long-term concern for the leadership of the telecoms firm is debatable – I cannot find the relevant tweet right now, but Neira Jones has previously said that stock prices often bounce back quite strongly once the news of a breach starts to recede from peoples’ memories.

Whether that will be the case with TalkTalk or not remains to be seen and, in my opinion, will largely be affected by CEO Dino Harding’s performances in the coming weeks.

Meanwhile four people aged between 15 and 20 remain on police bail, having been arrested under the Computer Misuse Act.

The alleged motives of the youngsters, who of course remain innocent unless proven otherwise, are still unclear, though the Daily Mail has today had a stab at adding some flesh to one hypothesis, saying that up to 25 fun-seeking hackers had their mitts on customer data in the wake of the attack.

Citing Channel 4 News, the online paper quoted one hacker who apparently said:

It was in a Skype group call…with a lot of laughing and making fun of TalkTalk.
There was no group, it was just a few friends laughing about a company with bad security. It’s fun for us.

Responding to the program, in which one hacker claimed to have been rebuffed by an uninterested TalkTalk when explaining its security issues, a spokesman for the company gave the stock post-breach response that the company was taking the issues very seriously before adding that it was co-operating fully with police.

The spokesman then sprinkled what I would describe as a pinch of scorn on the Channel 4 report by saying “the information included in this report has not been verified and is in some respects materially inaccurate.”

Has the Government Gateway been hacked?

Earlier this morning I read an interesting Financial Times article which detailed how stolen IDs were changing hands for around $30 (£20 / 27 Euros) on the dark web.

The main direction taken by the piece was to highlight how British companies, including TalkTalk of course, were struggling to protect their digital assets and, more importantly in my opinion, the personal details of their customers.

Highlighting how 600,000 British customers had their data swiped from UK companies in 2014, Defence and Security Editor Sam Jones cited Symantec research which suggests that 358 million identities were compromised worldwide last year.

Such figures truly are scary and definitely worthy of reporting, especially in conjunction with other news today which suggests the majority of scam victims in this country never recover a penny of their losses –

One of the UK’s biggest banks has said 70% of its customers who fall victim to a scam do not get a single penny back… From January to September this year almost 5,000 of the bank’s customers fell victim to various scams – at a total cost of more than £25m… The bank says the average cost of falling for a scam has gone up by 40% since 2014, to more than £13,000.

– but within the FT article is a startling claim that I, for one, was not previously aware of: the possibility that a key government database, used by HMRC and the Department for Work and Pensions, may have been hacked.

Government Gateway

Quoting “senior government officials,” Jones said “tens of thousands” of Brits’ identities were trading on the dark web. Nothing new there of course, but he went on to say that included within that figure were “thousands of detailed profiles stolen from the government’s own computer systems, with all the information necessary to completely seize control of an individual’s digital identity.”


The Government Gateway site has been breached?

When did that happen? When was it disclosed? Was I sleeping?

I don’t recall seeing anything about this at all, and a quick bit of Googling hasn’t revealed any further information either.

Hmmm… seems like a massive scoop and breaking news story in the making, especially given the fact that Jones says the profiles hacked from the site are the “crown jewels” of ID theft (no wonder they’re apparently available for the much higher price of $75 (£59 / 81 Euros) – which is probably not an understatement given the type of information likely to be included in such records.

So that again begs the question: why is this not the news story of today?

Has this breach even occurred, has it slipped under the radar as the security community and media at large go to town on TalkTalk’s incident response plan, or is there an error in the original FT reporting?

I’d be very interested in hearing your thoughts on this – has anyone got any information they’d care to share?

Experian, Patreon, Kmart and David Jones breached

Another week, another breach.

Or two.


Or perhaps four?

In what must surely be a busy week for information security professionals hampered by a lack of suitable candidates entering the field, we have already seen four high profile breaches.

The biggest involved the hacking of Experian’s servers and the theft of information concerning 15 million people who applied for T-Mobile contracts in the US which saw usernames, dates of birth, home addresses, encrypted social security numbers and more information fall into the wrong hands. (Observation: only T-Mobile customers were affected which suggests Experian are segregating customer data which is good to see).

Then there was the Patreon hack which led to a whopping 13.7GB of personal data being dumped online. While benefactors of the site that helps online creators and charities can probably breathe easy knowing that social security numbers and tax information were well encrypted, the fact that other personal details such as names and email addresses were leaked is probably not so welcome. Even more concerning may be the news that some messages were leaked in their entirety – something that may well be a cause of concern for some members.

Likewise, customers of Kmart Australia may also be feeling concerned right now after the company told its online customers that their accounts had been compromised by an “external privacy breach” which saw names, email addresses, delivery addresses, telephone numbers and purchase info disappear into the criminal underground.

And, finally, posh Aussie retailer David Jones has also been hacked via a vulnerability in its website. The company, which has declined to put a number on how many of its customers have been affected by the breach, says the usual data has been swiped – names, addresses, email addresses, etc. – but not credit card details.


That’s a whole lot of breaches for one week.


No-one saw unencrypted payment card data swiped… as far as we know.

So all’s well that ends well then?

No, not exactly.

Even though the most sensitive of data appears to be safe, customers affected by these four breaches still need to be very much on their guard as the information that has been taken could be used against them in phishing attacks, for identity theft, or for other malicious purposes.

While most people have a sufficient level of security awareness (if you don’t, October’s National Cyber Security Awareness Month is as good a time as any to check out the free resources offered by Securing The Human) to avoid falling for the most obvious of random scams that arrive in their inboxes, targeted emails (or phone calls) that include their real names and other private data can prove infinitely more successful when it comes to duping them.

So what can someone affected by these, or other, breaches do to lessen the risks posed by having their information in the wild?

Beyond being aware of what has happened and how that information could be used against them – which is a vital first step – other good practices should include the changing of passwords if any that have been compromised have been reused elsewhere, frequent checking of bank and credit card statements and, perhaps, the signing up to a credit checking agency, though perhaps not Experian, despite its offer of two years of free credit and identity monitoring?

Swatting comes to the UK as Mumsnet founder receives visit from armed boys in blue

If you thought SWATting – a situation in which armed law enforcement officers such as those in American Special Weapons And Tactics teams – are drawn to an unsuspecting victim’s address by a hoax call was a US thing, reserved for only the most well-known celebrities within the infosec profession, think again.

You don’t need to be Brian Krebs to find yourself on the wrong end of a gun.

Nor do you need to be living in the US it seems.


In a double-whammy reminiscent of Krebs’ experience, Justine Roberts found her hugely popular Mumsnet site knocked off line at around the same time armed officers from the Metropolitan police paid her UK address a visit.

In the first incident, Roberts saw her 7.7 million member site crippled by a DDoS attack reportedly launched by whoever hides behind the now-suspended @DadSecurity Twitter account (if he or she thinks they can’t be caught because they are a hacker, they ought to think again).

In the second, Roberts herself received an unexpected call after someone dialled 999 and said a gunman had been spotted near her home.

Not content with attacks against both Mumsnet and its founder, the alleged attacker then went after another member.

In an email sent to members of the site, Roberts explained:

An armed response team turned up at my house last week in the middle of the night, after reports of an armed man prowling around.

A Mumsnet user who engaged with @DadSecurity on Twitter was warned to ‘prepare to be swatted by the best’ in a tweet that included a picture of a swat team, after which police arrived at her house in the middle of the night following a report of gunshots.

Needless to say, she and her young family were pretty shaken up.

Interestingly, Roberts told Mumsnet subscribers that home addresses were not likely to have been found via the site as “we don’t collect addresses”.

She also said she remained confident that passwords had not been accessed following the 11-12 August DDoS attack (they may well have been last year following Heartbleed though) but offered the following sound advice out as good measure:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that https:// is being used on login pages
DO use social login to avoid typing passwords
DON’T give out information to any organisations without verifying they are who they say they are

Instead, it appears the hacker may well have acquired data by phishing for it via a fake login page which ultimately may have led to as many as 11 accounts becoming compromised.

So what can we learn from this story?

Several things it seems –

  1. Swatting has just become a ‘thing’ here in the UK
  2. Even a big site like Mumsnet – which has 14 million+ visitors per month – can be susceptible to a DDoS attack
  3. Phishing is still rife and people do fall for fake login pages
  4. A determined hacker will find a way to attack you or your site, even more so if you make it easy for them
  5. There are some pretty messed up people out there

What have you done to defend yourself, your website and your business from those who would do you harm, or at least put you in harm’s way?

No sophistication here: UK job recruitment network hacked, user’s info dumped on Pastebin

While many security pros and casual observers continue to read about the massive breach at Carphone Warehouse (as discussed on BBC radio by our very own Brian Honan — 7 mins in), which may have affected up to 2.4m of their customers, there is another potentially huge story bubbling away in the background.

The Employment Agents Movement (TEAM), the UK’s largest network of independent recruiters – no, I’ve never heard of them either – was apparently targeted over the weekend by a Saudi hacker.

Going by the name of JM511, the hacker appears to have broken with convention, completely tossing out the rulebook which says all major attacks must be sophisticated in order to be effective these days.

Instead, he (or she, we don’t which) relied upon an old-school SQL injection to gain access to the network’s database at

Then, quelle surprise, he dumped all the information on Pastebin, revealing the usual data – names, email addresses, usernames, telephone numbers, that sort of thing.

Also, perhaps just as unsurprisingly, the hacker also published a whole load of passwords. Fortunately, many are encrypted, but the ones that are not make for some interesting reading.

I’ve not had time to go through all 2,500+ records but a quick gander reveals that several recruiters need some help when it comes to creating a strong password. Not heeding common advice which suggests mixing letters, numbers and characters, and definitely avoiding words, several opted to secure their accounts with the password “team”. I can only hope they haven’t reused such a weak password anywhere else online because, if they have, that would be very, very bad.


Other password blunders include recruiters securing their accounts with a password that matches their surname – and, yes, some of those surnames are only 4 letters long and are also common dictionary words.


Then there is a group of at least four recruiters from the same agency who have all used the same dictionary word to secure their respective accounts.


And a similar number from another agency who used two dictionary words together and stuck the number one on the end.


Normally at this point I would write something about how we could encourage such people to buy into their own security, by demonstrating how eradicating risky behaviour could help them, as well as the business they work for.

But it seems a bit too late for that so, instead, I’ll ask whether you have considered how your staff are approaching security. Do they lock their accounts down or make it easy for attackers to guess or otherwise compromise their login credentials?

If they need help or education, how will you provide it? Do you need security awareness training?

Once you’ve thought about that, you may wish to consider the fact that the TEAM website is still down today – “Under Maintenance,” so it says.

You may also want to consider the fact that JM511 has used his Twitter account to boast of other attacks against, and others, all using SQL injection.

You have protected your corporate databases from SQL injection attacks, right?

While you ponder that, I’ll be busy looking to see how many recently attacked sites have apologised so far – because we all like to know how companies take our security seriously, and sleep well at night when the breached tell us how they are beefing their defences up long after the horse has bolted.

Hackers Penetrate Ashley Madison, Slip Out With Customer Data

Hackers have stolen personal information from online international infidelity site Ashley Madison.

The site, which encourages its members to cheat on their partners, boasts 37 million members, all of whom may be ruing the day they signed up with a service which says “Life is short. Have an affair”.

According to Brian Krebs, those responsible – known as The Impact Team – claim to have compromised… everything. That’s databases, financial records and other data.

Not only that, the group has also begun leaking some of that data on the web, including maps of internal servers, company bank account data and employees’ salary information.

Customer data appears to be safe for now but The Impact Team has threatened to dump everything it has if Avid Life Media, the company behind Ashley Madison, fails to close the site, along with another of its web properties, Established Men.

Should such a disclosure of personal information come to pass, the consequences for actual and wannabee cheating spouses could be severe – the data likely to be leaked apparently includes names and addresses, credit card transactions and secret sexual fantasies.

The Impact Team has taken this course of action, it says, because Avid Life Media allegedly lied about a service charge. Membership of the site is free, as is partial deletion of profiles, but a full delete costs $19 (around £12).

This service, the hackers say, has not been provided to those who have paid up. Instead, the group claims names, addresses and usage histories remain, even after the fee has been paid.

In a statement Avid Life Media Inc confirmed the breach, saying:

We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.

We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.

We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.  As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.

Avid Life Media says it has now successfully removed all hack-related posts and PII about its users by invoking the Digital Millennium Copyright Act. Investigation of the incident continues it says:

At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.

How good the security at Ashley Madison is, we do not know, but what is for sure is that data breaches are either becoming more frequent or are being reported far more often. We can also say that, whatever you think of the service the site provides, the attack is still an illegal action, however well-intentioned those behind it may perceive themselves to be.

The latest breach of an adult-orientated site comes two months after Adult Friend Finder suffered a similar fate and the advice for anyone potentially affected this time around is the same – be on your guard for an increase in spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts.

Hacking Team: 5 Tips For Recovering From The Alleged Breach

Hacking Team, an Italian company that helps governments spy on its own citizens has apparently been hacked itself.

As the story is such big news today I’ll let you get the details elsewhere – Graham Cluley’s article is as good a place to start as any.

Brian Honan on the apparent Hacking Team breach

Instead, here are a few ideas for how the company can respond to the alleged incident:

1. Move quickly

If Hacking Team has indeed been breached then the speed with which they respond could be key to mitigating the effects.

We’ve already seen what appears to be torrents full of corporate data appear on the web and attract an undue amount of attention via social networks.

Given the sensitive nature of their business, and the even more sensitive makeup of their alleged client list, it would make sense to do whatever possible to limit any further exposure of the company’s corporate data.

Taking the website offline until it can be thoroughly checked for the point of entry – and fixed – could be a good starting point.

Hacking Team would also we well-advised to remember it has other public-facing assets on the web too, i.e. Twitter accounts which also appear to have been compromised. Taking those down, along with any other accounts on Facebook, Google or elsewhere would also be prudent until fixes are made.

2. Get help

Normally sound advice to a small company would be to employ the services of a security professional following a breach. Their particular field of expertise could prove invaluable to an organisation whose main line of business lays outside the security field.

In the case of Hacking Team, we can only assume that some top talent is already on the payroll but, given the line they operate in, I’d imagine it has friends within some pretty interesting government departments.

Time to call in some favours?

3. Own it

Telling the world you take security seriously after a breach which demonstrated that you didn’t beforehand is an increasingly lame way of doing business. Given Hacking Team’s client list, that’s not an approach that will win it much repeat business should the hack claims be true – and let’s not forget that the internet is awash with nothing more than opinion right now; I’ve seen nothing to say a breach categorically did occur.

That said, if the claims are true, Hacking Team would be well advised to own up, at least to its customers, and start working towards building their trust again.

Denials and delays never helped anyone.

4. Disclose it

Disclosure is always important after a breach, either for regulatory reasons or simply to maintain goodwill with customers current and future. In this case, if a hack did occur, Hacking Team would likely be talking to clients who already know what’s gone on. Even so, working with the authorities seems like it’s a given.

5. Ensure it doesn’t happen again

This is the big one.

If the company has been hacked once there is every chance it could be targeted again, especially given the nature of its business.

While no-one likes to think about lightning striking once, there is a real danger it could strike twice. If that is a sentiment that applies to Hacking Team, it may wish to brush off its disaster recovery plan, check its security procedures and, depending on how the alleged attack was initiated, look into some staff security training.

Even more importantly, the company may need to employ some expert negotiators if it wishes to continue attracting nation-state contracts for its services.

So there are my thoughts – can you offer Hacking Team any extra tips for coping with the apparent hack it has experienced?

image credit: Reactions to the Hacking Team breach

UK Data Breaches Up, Infosec Spending Leveling Off, Awareness Still Key

A new UK government survey, conducted by PwC in association with Infosecurity Europe, has revealed some interesting findings about data breaches with the key takeaway being the fact that the number of breaches has increased year on year.


Reversing the small decrease seen in 2014, this year’s report shows that a whopping 90% of large organisations were breached in the previous 12 months (up from 81% last year). The report clearly highlights that it is not only large companies that need to be concerned though – some 74% of smaller firms were also breached (up from 60% in 2014).

number of breaches

While the actual number of breaches per organisation has dropped from 16 to 14 for larger companies and from 6 to 4 for smaller firms, 59% of respondents expect to see more security incidents next year, something that may be explained by a reported leveling out of security spending.

Even though the cost of breaches continues to soar – large organisations among the 650 responding companies reported average losses of £1.46m to £3.14m and smaller respondents quoted average figures of £75k to £311k – many respondents reported a slowdown in the growth of security budgets.


While expenditure was still expected to increase, by and large, less organisations were expecting to receive beefier budgets than the year before. Respondents from smaller firms were far more pessimistic than those from larger players with only 7% expecting additional funding in 2016.

Given the reported slowdown in security spending, it seems likely that organisations will become increasingly interested in getting the best value from their expenditure and, based upon the views garnered by this survey, that may well be in the area of staff training and awareness.

We’re huge fans of both here at BH Consulting and firm believers in their usefulness to both employees and the business as a whole. It is therefore rather disappointing to note that the survey concludes the human element to be a particular area of concern, as it has been for many years now.


While the surveyed companies reported an increase in staff awareness programs they do not appear to have got their money’s worth from them with many still citing employees as the highest area of risk within their organisation, responsible for the vast majority of breaches and other security incidents.


Three quarters of large organisations said human error caused at least one breach, up from 58% last year, while almost a third of small companies blamed staff for the same, up from 22% in 2014.

While we can probably conclude that businesses are becoming increasingly aware of the dangers of being breached – incidents are making the news more than ever before – they are continually struggling to mitigate the risks, regardless of size.


While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programs are known to be effective but many companies do not appear to have leveraged them to their full potential.

You can read the full report here, or the executive summary here.