TalkTalk on Thursday announced that it received a ransom demand following a cyberattack that may have compromised the credit card and bank details of millions of its customers.
The London Metropolitan Police Cyber Crime Unit has launched a criminal investigation, the company said.
The cyberbreach may have compromised customer data including names, addresses, birth dates, email addresses, account information, and credit card or bank details, TalkTalk added.
“TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cybercrime, impacting an increasing number of individuals and organizations,” CEO Dido Harding said.
“We take any threat to the security of our customers’ data extremely seriously, and we are taking all the necessary steps to understand what has happened here,” she said.
The company has begun contacting its customers as well as major banks to help monitor for suspicious activity on customer accounts, and it will provide for a year’s free credit monitoring for its customers.
The cyberattack is the third security breach the company has faced in the past 12 months, but TalkTalk has said it believed the three attacks were unrelated.
The latest attack is unique because, in addition to the compromised data, it received a ransom demand from someone claiming to be responsible for the attack seeking payment. It’s not clear if there is a connection between the ransom demand and the most recent breach.
“Reports indicate a [distributed denial-of-service] attack,” said Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“It is not clear to me why this would necessarily be linked with an exploit that exfiltrated customer data, so possibly there is far more yet to come in this story,” he told TechNewsWorld.
“We can only speculate as to a connection — a distraction to what actual technical activity was going on, perhaps,” Purtilo added.
Not Exactly Business as Usual
“TalkTalk appears to have really fumbled both their security posture, by not encrypting customer data and not segmenting valuable data, and their response to the breach, by not having a policy for such an eventuality and not alerting authorities and customers sooner,” said Jon Lindsay of the University of California’s Institute on Global Conflict and Cooperation.
“There is no excuse for neglecting security anymore and no need for people to unplug if they demand that companies demonstrate a commitment to security,” Lindsay told TechNewsWorld. “But security is inconvenient and people like free stuff.”
What makes this breach stand out is the ransom component. These types of cybercrimes usually are directed at individuals, not larger entities.
“Untold thousands of individual consumers have, of course, suffered malware called ‘ransomware’ that locks up their computer with a threat of data destruction unless a payment is made,” the University of Maryland’s Purtilo explained.
“This is almost certainly not the case with TalkTalk, since reports indicate data has already been lifted, so sadly, there is no credible assurance anyone can make that a payment could remove the threat of further abuse of data,” he added.
There is also no way for the company to know that the demand came from whoever is responsible for the attack, warned Alan Webber, research director for national security and intelligence at IDC.
“Nor can you trust them, so I generally don’t support paying a ransom,” he told TechNewsWorld.
Response and Protection
“TalkTalk should respond in fairly standard manner to the breach,” said Webber.
This includes taking the network or databases offline if possible, evaluating the losses, working with law enforcement and the legal department, and then determining the access point or route in, including the possibility of an insider attack or social engineering, he explained.
From there, firms should conduct a lessons-learned exercise, re-examine employee training, and check for backups and logs to ensure that a future hack won’t take advantage of the same weaknesses.
However, such attacks don’t have to happen.
“The best steps for protecting corporate and consumer interests alike are ones which TalkTalk should have been taking before this exploit,” the University of Maryland’s Purtilo said.
Those steps include “structuring and encrypting data to diminish its value on the outside, architecting some separation between corporate assets and user-facing systems, discarding consumer data that no longer serve immediate business activities, reviewing practices for accessing data, careful monitoring of facilities, and independent audits,” he said.
“These are not especially difficult tasks, just ones that require your attention along the way to building out your business,” Purtilo added. “Security and privacy are ingredients you need to bake into your facilities cake, not icing you add on to it later.”