Updated: Analysing the TalkTalk customer database attack

Police are investigating a "significant and sustained cyber-attack" on TalkTalk as it emerges that the data may not have been encrypted and the site used a SHA-1 signed security certificate.

Details of four million customers copied in attack
Details of four million customers copied in attack

Around four million TalkTalk customer's personal information may have been accessed by hackers after a sustained attack on the firm's infrastructure. The company has confirmed that some of the data was  not encrypted.

The security breach was made public last night. The incident was said by the broadband provider to have started on Wednesday (21 October).

The attack led to parts of the website becoming inaccessible to customers, namely the sales system and “My Account” areas of the website where customers can order services and access their own account details. The firm's broadband, TV and mobile and landline phone services all remain unaffected.

The company said it expects to restore all services today.

Meanwhile, TalkTalk has received a ransom demand. A TalkTalk spokeswoman said: “We can confirm we were contacted by someone claiming to be responsible and seeking payment.” There is nothing to confirm that the author of the ransom note is the real hacker. The details have been passed to the police.

It has also emerged that the company has been using a certificate for accounts.talktalk.co.uk that is signed with a SHA-1 signature. This is according to the High-Tech Bridge website which hosts a free SSL server test.  

SHA-1 signatures are widely considered to be insecure. PCI DSS requires that certificates are signed with SHA-2 signatures. In the US, NIST also requires this. And the CA/Browser Forum governing body has ruled that no new SHA-1 certificates can be issued after the end of this year.

Google's Chrome browser already flags SHA-1 certificates when it finds them on HTTPS sites.

Speaking on Radio4 this morning, Dido Harding, group chief executive of phone and broadband provider TalkTalk confirmed that potentially all of its four million plus customers could be affected by a cyber-attack and data breach in which banking details and personal information could have been accessed.

Harding said that it was too early to know what data had been stolen, commenting: "Potentially it could affect all of our customers, which is why we are contacting them all by email and we will also write to them as well."

Asked whether the data had been encrypted, she told Radio 4's Today Programme that it was impossible to know what was encrypted and what was not out of the millions of customer records held by the company.

Meanwhile, experts have been analysing the attack on the TalkTalk site.

According to reports, the breach followed a DDoS attack on TalkTalk. It is thought that this attack was a distraction while hackers gained access to customer details.

In a statement released by the company, the firm said a criminal investigation by the Metropolitan Police Service has been launched to find out exactly what happened and whether personal information had been accessed.

“That investigation is ongoing, but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details,” a spokesman for the company said in a statement emailed to SCMagazineUK.com.

“We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”

The firm admitted that not all of the data was encrypted.

“We constantly review and update our systems to make sure they are as secure as possible. We're working with the police and cyber security experts to understand what happened and protect as best we can against similar attacks in future,” it said in an FAQ on the website.

SC contacted TalkTalk to find out what data had been left unencrypted and why. We will update this article if and when we find out.

TalkTalk did not go into details on how hackers accessed their systems. “We believed our systems were as secure as they could be,” said the firm. "As soon as we realised the website was under attack, we pulled the website down in an effort to protect data."

TalkTalk said it was now in the process of contacting customers about the breach and will be offering them one year's free credit monitoring. It also advised them to change passwords and monitor bank statements for unusual activity on their accounts.

According to a BBC report, cyber-security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4's Today programme that a Russian Islamist group had claimed responsibility for the attack. This claim has yet to be verified.

The attack is the third to affect the company in a year after a breach in February and August this year. The latter breach also affected Carphone Warehouse customers.

Mark Rodbert, chief executive of Idax told SCMagazineUK.com that there was a real possibility that there could have been some sort of inside involvement.

“Unlike with Ashley Madison a few months back, the team at TalkTalk is suggesting that the breach is an external issue,” he said.

“Typically companies blame cyber-criminals in order to quickly take the blame and pressure off of themselves. For breaches to happen three times in one year though, I'd be surprised if there wasn't some sort of internal involvement either unwitting or deliberate. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue,” he claimed.

Richard Cassidy, technical director EMEA at Alert Logic told SC that there are clearly questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after.

“Perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place,” he said. “Fundamentally organisations need to start with an intrinsic understanding the anatomy of an attack as the first line of defence.”

Dave Palmer, director of technology at Darktrace, told SC that companies need to ask themselves if they would be capable of spotting the early signs of an attack like this one.

“Ultimately, it comes down to visibility. Most organisations are inevitably infiltrated to some extent. So if you lack an 'immune system' style approach of detecting early indicators, you can fall fast into the same debilitating situation as this one. This is another shot of reality, which should provoke companies to boost their own internal defences and minimise the risk of this kind of attack happening again,” he said.

Tony Neate, chief executive of Get Safe Online, told SC that the breach should encourage everyone to give their online behaviour an overhaul. “But as a TalkTalk customer, the first action should be to change any password which is the same as your TalkTalk account to something new and unpredictable. And never use the same passwords for all of your online accounts,” he said.

Darren White, vice president of EMEA at Agari, told SC that it is important that TalkTalk rebuilds customer trust.

“TalkTalk must choose one simple, easily communicated email address that's easy for customers to remember for post-breach communications. It also must be clear how the email will direct them to take action – but it must never ask them to click a link in the email,” he said.

“TalkTalk must also further introduce security controls and solutions that monitor for any authorised communications referencing its brand and ensure only authenticated emails from their brand reach their customers.”

He said that this plan must be communicated clearly to customers through the media and social channels, “including when and from which email address communications will come from, expectations for the content in the emails, and clarification of the action that needs to taken. Only by having an effective and secure post-breach email response plan can consumers regain trust in the brand”.

Meanwhile, a purported Jihadist group from Russia has claimed responsibility for the attack, publishing details and a statement at the Pastebin website.

A statement on PasteBin purporting to be from Jihadist hackers claimed credit for the hack. The statement (edited) says:

We Have adapted To The Security measures Of The Web,, We Cannot Be Stopped. We Have Made Our Tracks Untraceable Through Onion Routing, Encrypted Chat Messages, Private Key Emails, Hacked Servers. We Will Teach our Children To Use The Web For Allah.. Your Hands Will Be Covered In Blood.. Judgement Day Is Soon

WE Are In The Soviet Russia And Near Place, Your Europe, WE control Asia, We Control AMERICA

Yesterday SCMagazineUK.com reported that sources in Russia are warning of expected hacking attacks from non-government groups in Russia which planned to attack Western military and civil infrastructure.

Customers are advised to change their passwords and be wary of potential identity theft.