Cyber criminals hack TalkTalk, ransom demanded

TalkTalk Group –  the telecommunications company hacked

Cyber attack launched via the company’s e-mails resulted in millions of accounts stolen. The perpetrators have issued TalkTalk ransom demands.

Yesterday TalkTalk representative publicly shared that the company has experienced a massive cyber attack, which managed to penetrate their defenses and steal the private data of an yet to be estimated number of accounts. Soon after the company was approached by an unknown party that demanded a sum of money as ransom for the stolen data. The spokeswoman refused to elaborate on the amount, because in her own words “everything else is a matter for the police”, but she did admit that she had been contacted by an individual or a group for the ransom.

This is not the first incident involving a TalkTalk cyber attack – actually it’s the 3rd for this year and Dido Harding publicly apologized to it’s customers and assured them all three of these are “completely unrelated”. Unfortunately her reassurance did nothing to appease the worries of the investors and TalkTalk’s shares dropped over 10% overnight – likely due to worries about the financial impact brought by the news.

Cyber crime security appears to be falling behind hacker’s methods

TalkTalk’s problems are not an isolated case. Over the last two years we are having a similar scandal blow every other month – one of the major ones being the Adult FriendFinder security breach where experts were astounded that the data was not even encrypted. If you are wondering if this is also the case with Talk Talk here’s the official response of Dido Hardings on the matter as she told it to the BBC.

“the awful truth is I don’t know” whether all the data was encrypted, adding: “With the benefit of hindsight, were we doing enough? Well, you’ve got to say that we weren’t and obviously we will be looking back and reviewing that extremely seriously.”

A very underwhelming answer from a corporate representative, whose company specializes in handling the private details of over 4 million customers in the author’s humble opinion. Well at least she is honest about it and we are not going to see another cover up.

TalkTalk hacked

Is there an Islamist or terrorist involvement in all of this?

The Metropolitan police cyber crime unit has launched an investigation to follow such a possible lead. A former detective from the division – Adrian Culley – was kind enough to share some of his insights via BBC Radio 4’s Today programme.

“It appears at face value to be Islamic cyber terrorism.”  This claim can not be verified outright, but at least some evidence do exist to point into this direction. Shortly after the attack a group that called themselves “TalkTalk Hackers” published what appears to be a short list email addresses and social security numbers taken from stolen accounts. This list was posted on the online platform Pastebin – which is favored by hackers for such public declarations due its policy of anonymity. The manifesto included Islamist rhetoric in order to justify the attack. It basically said: “We will teach our children to use the web for Allah … your hands will be covered in blood … judgment day is soon.”

Of course, it is possible that all of this is hogwash and the hackers are using it it as an attempt to send the investigation after a red herring. Unfortunately the possibility of a real terrorist attack should be taken seriously. Here is a list of the things that the hackers may have acquired over the course of the attack:

  • Names.
  • Addresses.
  • Date of births.
  • Phone numbers.
  • Email addresses.
  • TalkTalk account information.
  • Credit card details and/or bank details.

With that much data the perpetrators are able to know everything about the people whose data has been stolen, could lead to phone harassment, further blackmails, theft and many other types of misuse.

TalkTalk is fully cooperating with the authorities to limit the damage

Scotland Yard has received all relevant data and there is an ongoing investigation on the matter – but unfortunately there are not arrests yet. Banks have been informed to monitor the financial movements of affected people’s accounts and also it appears that at least some of the data has been encrypted and will be inaccessible to the hackers. Unfortunately the uncertainly remains.

Regulating watchdog ICO can impose up to £500,000 in a fine over lax security, but this sum could go higher if detailed review finds that TalkTalk did not implement sufficient action after the two previous breaches. In retrospect ICO fined Sony £200,000 over the lack of encryption of customer data in their PlayStation platform incident.

What truly matters in the end is that companies that deal in online services finally tighten security, so we can once again feel safe online.