Phil Muncaster takes a look at what really happened at the ISP, and what lessons can be learned from its handling of the incident
Everything’s always ‘bigger and better’ in the US, or at least that’s what they say. Unfortunately for federal employees and American consumers, this also means data breaches that have hit tens of millions over the past year.
In dear old Blighty we don’t seem to be able to compete. The breach that has captured most of the headlines over the past few months has been the attack on TalkTalk. But despite the relatively paltry amount of customers affected, this one’s worth taking a closer look at.
How can a firm the size of TalkTalk have been successfully attacked via what appears to be a relatively basic security flaw? Why weren’t its incident response and crisis comms up to speed? How can we all avoid following in its sullied footsteps?
The story so far
On 21 October 2015 the TalkTalk website mysteriously went down for users, with the firm claiming it was facing ‘technical issues’ which its engineers were ‘working hard to fix’. The following day the firm released a longer statement and began informing all of its approximately four million customers that it had been the victim of a cyber-attack – the third in the space of a year.
Its initial notice had the following: “Today (Thursday 22nd October), a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyber-attack on our website yesterday.
“That investigation is ongoing, but unfortunately there is a chance that some of the following data has been compromised: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details. We are continuing to work with leading cybercrime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
The next day, CEO Dido Harding told the BBC that the firm had received a ransom email purporting to come from the hacker(s). It subsequently emerged over the weekend that the attack was against its website and related databases rather than “core systems.”
As a result, only incomplete card data – if any – had been stolen, although bank account numbers and sort codes were taken. A hacker couldn’t use these to access user accounts, but they could certainly be employed to good effect in follow-up phishing attacks. On Monday 26 October, TalkTalk said it would waive account termination fees only on a case-by-case basis if users had money stolen from their bank accounts as a direct result of the attack, causing anger among customers.
It took over a week later for the firm to finally admit the true scale of the attack. Just 156,959 customers (4%) have had sensitive data exposed. Of these, 15,656 bank account numbers and sort codes were accessed and 28,000 ‘obscured’ card details were taken. Other exposed details include name, address, date of birth, telephone number and email address, but the firm said TalkTalk account passwords were not taken.
The police arrested one 15-year-old from Northern Ireland, two 16-year-olds (from London and Norwich) and a 20-year-old Staffordshire man in connection with the attacks and bailed them until March 2016 on suspicion of Computer Misuse Act offenses. At the time of writing an 18-year-old from Llanelli had also been cuffed on suspicion of blackmail.
How did the attackers get in? Initial statements from the firm suggested a DDoS attack was to blame, but of course this couldn’t have been responsible for the theft of personal information. CEO Harding then told the FT that a “sequential attack” was responsible – presumably referring to a SQL injection, an extremely common web vulnerability.
Tom Williams, lead investigative consultant at UK consultancy Context Information Security, believes “some kids loosely linked to a hacktivist collective” went looking speculatively for vulnerabilities in TalkTalk’s website. Then they shared their findings with others. It was at this point that the information found its way to someone who tried to monetize the flaw via the SQLi attack and DDoS – the latter probably used as a “smokescreen” to distract TalkTalk’s IT security staff. Talk of the attack being carried out by Islamic State hackers is likely to be a red herring spread by the real perpetrators, he tells Infosecurity.
Unhappy customers
TalkTalk admitted in its financials for the first half of the year that it would have to pay a one-off £35m bill in the aftermath of the attack, to be allocated to things like incident response, external consulting and increasing call volumes. A harder-to-quantify hit will be how many customers leave after their current contracts expire, and how many more potential customers the firm has lost because of the incident.
Although TalkTalk has also claimed on more than one occasion “we want to make customers aware that we will not call or otherwise contact them regarding this incident and ask for bank details or other financial or personal information,” customers appear to have been taken in with follow-up scams. Reports emerged that customers are being vished, spammed and phished. For Williams, this could all have been prevented by encrypting customers’ personally identifiable information.
“TalkTalk has said data wasn’t encrypted because there was no legal requirement,” he argues. “But this is an example of when compliance sometimes gets in the way of security – we might do what we need to tick the box but it’s not necessarily the best for security.”
The firm has tried to limit the PR damage by claiming to offer a “free reporting and blocking service for nuisance and malicious calls” and said it constantly reviews incoming calls “to identify and block malicious callers in a similar way to blocking spam emails.” But for Williams both the SQL injection and the smokescreen DDoS – if they were indeed used in the attack – should in the first place “have been preventable for an organization of TalkTalk’s stature.”
Interestingly, some of the key security steps which should have spotted and prevented a SQLi attack had apparently already been put in place by the end of FY 2015, according to an end-of-year report by the telco. It claimed: “In FY15, key initiatives including the encryption of hardware and removable media, a data loss prevention solution, vulnerability scanning and penetration testing have been completed.
“A new Head of Security has also been appointed to establish and oversee the new Security Operations Centre, the activities of which have been outsourced to cybersecurity experts BAE systems.”
Lesson learned?
TalkTalk hasn’t just come under fire for its questionable security practises, its incident response has also been criticized for being too reactive, muddled and not taking enough time to educate the customer. New Quocirca research of 100 UK IT leaders found just half (49%) had a breach response plan in place, despite the fact that 38% claimed a breach was “inevitable.” This kind of attitude may explain the firm’s poor handling of the incident.
“It’s something that’s easier said than done in an extremely competitive industry because security is an additional cost,” says Williams. “But they needed more robust incident response procedures – not just in dealing with it from a technical perspective but also from a comms aspect.”
Rolf von Roessing, former international vice president of ISACA, argues that caution is often the best policy with regards to issuing public statements. “Communicating too quickly can cause some confusion with regard to the actual root cause and the consequences of the attack,” he says. “To help ensure an effective response to an attack, ISACA’s Cybersecurity Nexus (CSX) recommends that organizations have a strong mix of technical controls, cybersecurity education and awareness programs, well-tested incident response plans, and a skilled cyber workforce in place.”
Quocirca analyst Bob Tarzey is more forgiving of the firm. “Credit where it’s due they did put Harding in front of the media pretty sharpish – the problem is she wasn’t well enough briefed,” he tells Infosecurity.
TalkTalk has offered upgrade to all customers which could include unlimited calls, TV content and a mobile SIM. It has also offered 12 months free credit monitoring with Noddle. But many have argued this is simply too little to save its reputation. That has already been tarnished by its enforcing those strict rules preventing customers exiting contracts early.
In fact, Hogan Lovells partner Peter Watts believes there could still be some tricky legal waters for the ISP to cross. “For a customer of TalkTalk, the first thing to think about is whether the business has done everything it should have done to keep data safe. If not, the consumer will probably have a claim for any money they lose and may well also have a right to terminate their contract if they want to – limitations of liability in the contract are unlikely to protect the business,” he tells Infosecurity.
“The problem for the consumer of course is that it is very difficult to be sure that the business hasn't had the proper security measures in place.”
Despite customer anger, the firm’s shareholders have reacted pretty favorably to its handling of the incident. In fact, shares rose 12% after its 1H financials were released.
So what can we learn? TalkTalk’s shareholders might be happy, but its reputation following the incident will certainly suffer. Prevention is always cheaper and less painful than the cure when it comes to cyber-security. Firms need to concentrate on getting the basics right: pen testing, finding and remediating any vulnerabilities, encrypting data and so on. They might not all be legally required but they could reduce the chances of a successful breach.
The new European General Data Protection Regulation will require mandatory breach notification and large fines of potentially 2% of annual turnover or €1 million, which should concentrate minds.
For Williams, more info sharing could help firms. “A lot of companies are buying tactical threat feeds but sometimes the best threat intelligence is learning from your own internal incidents and harnessing that,” he says. “And when you do go external, look for forums to join where you can learn from organzations in similar sectors. Every firm will at some point be a victim so the sharing experience is good.”
For Quocirca’s Tarzey, next gen firewalls, context-aware security tools, encryption for sensitive data and DLP could be enough to warn off the cyber-criminals. “Criminals want as easy a life as possible – they’re rarely interested in singling out a specific organization, they just want to target the weakest,” he says. “So it doesn’t take an awful lot to get ahead of a weak pack.”