#TalkTalk: SQL Injection Possible Vector for ISP Breach

Written by

A few more details have emerged in the cyber-attack on one of the UK’s largest ISPs, TalkTalk.

TalkTalk, with around four million UK customers, now says that it was hit by a severe distributed denial-of-service (DDoS) attack that was a cover for a plot to access customer data, including profile information, credit-card details and passwords. The comms company has admitted that unauthorized access occurred; and that it has been asked for ransom.

 A TalkTalk spokeswoman told media late Friday: "We can confirm we were contacted by someone claiming to be responsible and seeking payment."

The firm is under investigation by the Information Commissioner's Office over the breach as it’s the third time the company has been data-heisted.

As for what happened, security researchers have started looking into it.

“I have reviewed some of the data around the attack and my guess would be that the attackers used an SQL injection for at least part of the attack,” said Amichai Shulman, co-founder and CTO of Imperva, via email. “My advice to customers would be to keep a close eye for fraudulent activity on back accounts and be particularly vigilant of phishing attacks. The theme that keeps repeating itself is that every time such a breach occurs, media outlets focus heavily on the stolen credit-card numbers; however, in practice, for the average person the theft of personal data is much more critical.”

The theft of financial information credit-card or account information has a limited lifespan, until the victim changes the account details. But the personal information that can be obtained by accessing someone’s account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft.

“The value of this personal data to the cybercriminal has a much greater value; for example, where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500,” explained Andy Heather, vice president, HP Data Security. “If the cyber-criminals know where the real value is then surely we should all expect responsible organization to pay appropriate attention to keeping our personal information safe."

Tim Erlin, director of IT security and risk strategy at Tripwire noted that this is why personal information needs to be encrypted as a clear requirement, both at rest and in transit.

“Even encryption isn’t a perfect solution to data theft,” he told Infosecurity. “The sensitive data we need to protect also needs to be used by various business systems. If those systems are compromised, the data can still be accessed by attackers. Companies need to secure the configurations of their systems as well as encrypt the data they use.”

This is the third time in 12 months that a data breach has affected TalkTalk customers. This is the third time in 2015 that the TalkTalk site has been targeted. Customers were warned in March 2015 about scam mail messages after account names and numbers had been accessed and in August 2015 TalkTalk’s mobile sales site, among other such firms' in the UK, was the focus of an attack on one of its providers.

“The news that TalkTalk customers have once again been impacted by a data breach should be a wakeup call for all companies serving consumers and storing their personal data,” said Richard Parris, CEO at Intercede, in an emailed comment.

He added, “It really is time that these major businesses gave the issue the attention it deserves—they need to stop relying on simple password-based authentication and to start applying enterprise grade solutions. Protecting customers’ private data should be a top priority for any organization. Failure to demonstrate that adequate safeguards are in place will inevitably result in customers, and revenues, disappearing.”

What’s hot on Infosecurity Magazine?