Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

I may well be ignorant/naive but I don't understand why these companies don't do things properly so that hackers have absolutely no chance of getting in in the first place. (Unless of course it was an inside job.)

Every system I have been responsible for is secured to the absolute max, far above standard configuration, and is tested too.

Perhaps they are just hiring too many rubbish people so that the good people are diluted, drowned in compensating incompetence.

[AArdvark]

I may well be ignorant/naive but I don't understand why these companies don't do things properly so that hackers have absolutely no chance of getting in in the first place. (Unless of course it was an inside job.)

Every system I have been responsible for is secured to the absolute max, far above standard configuration, and is tested too.

Perhaps they are just hiring too many rubbish people so that the good people are diluted, drowned in compensating incompetence.

The problem is often that the people who know at the sharp end (as in 'IT') are out ranked by the people that sell.

The usual conversation is give me a system I can use 'Now' so I can start selling to customers and make money.
Any attempt to talk about security and 'Doing things right' gets stomped on from on high as delaying things and getting in the way.
The Sales people then get their way and the IT people are told to work around the 'Live' system BUT do not stop the Sales people from working.

Any further attempts from the brave few gets the standard "We make the money that pays your wages, so stop delaying things", usually to an Senior IT Manager who resents the comments and stomps down harder on his people to save his/her own neck.

When it all hits the fan is usually the point were the IT Division are suddenly seen as being 'in control' of their own domain.
The same IT Manager will be getting it in the neck for NOT doing the right thing.
The usual suspects/scapegoats, many levels below, will be blamed and fired.

Seen it and reported on it and it has been acknowledged and ignored because it would be too embarrassing to admit that is the way things really happened.
i.e. The real culprits are too senior to be seen to be in the wrong.

After the fuss has died down the Senior People usually are reassigned to another geographic area where the true facts can be ignored/re-written/lost in the mists of time. 

Recruit and/or promote as needed and start again. 

[broadstairs]

Just saw this in a post on the TT forum:-

I just phone up my bank to change my sort code and account number,  by opening up a new account with them.
The advisor advised me that the bank is not allowing talktalk  customers to change account at the  moment.
Talktalk  this morning have giving banks more details on what is going on.  She wasn't going to tell me any more, but she let it slip,  maybe she's a talktalk customer, that some officials thinks that the criminals might be still in talktalk system,  or have left a way in. In that case if we changed our account details, or password. If the criminals have still got access to their systems any changes we make they will know about.

I think the only way we can solve it is. If TalkTalk is close down and we go somewhere else,  possibly with the help of Ofcom!

There may not be a guarantee that Talk Talk will ever now be safe!  Sad to say

The fact that they have still not brought their main website back online seems to indicate there is a lot going on that has not been made public.

Stuart

[les-70]

  The reviews of Noddle  https://uk.trustpilot.com/review/noddle.co.uk have things in common with some reviews of TT !!!!  I find it extra worrying if that is the best offer TalkTalk can make to its customers.

[jid]

  The reviews of Noddle  https://uk.trustpilot.com/review/noddle.co.uk have things in common with some reviews of TT !!!!  I find it extra worrying if that is the best offer TalkTalk can make to its customers.

I'm glad it wasn't Experian, as I believe they were hacked recently with around 2 million customers data released?

[guest]

  The reviews of Noddle  https://uk.trustpilot.com/review/noddle.co.uk have things in common with some reviews of TT !!!!  I find it extra worrying if that is the best offer TalkTalk can make to its customers.

noddle.co.uk is Callcredit Information Group Ltd :

Our Mission

Callcredit Information Group unlocks value for businesses and consumers by the secure and innovative transformation of data into intelligence and insight, enabling transactions across multiple channels and markets.

I wouldn't hold out much hope of this lot being much more use than the proverbial chocolate teapot....

[sevenlayermuddle]

I wonder if TT have been paid finder's fees for all these millions of people they've introduced to Noddle?

[sorc]

I don't know why people just don't pay for the statutory credit reports. It's £2 a go but it's a one time thing, but you don't have to worry about trying to cancel CreditExpert at £10 a month or whatever (and their "credit score" feature is useless as it's just their interpretation, the UK doesn't have formalised scoring like the US does, each company has their own scoring criteria). At least you know the data isn't going through some third party who may have even laxer security standards than either TalkTalk or Experian

Though I suppose TT will be trying to give you a year of that sort of service anyway as part of the "compensation". If I was a TT customer I'd be happy with being let out of my contract first of all

[AArdvark]

... If I was a TT customer I'd be happy with being let out of my contract first of all

If you remember the interview TT are going to be 'dancing' around that one.
The advice to call CS, to make it an individual issue, hinges on you being able to prove you have been affected by the 'Hack'.
Until TT release more information they are not giving anyone the ammunition to leave, for Free, without some debate with TT.
I don't know if loss of service is enough, yet. (Someone who has access to T's & C's needs to get advice on this)
Proof of reckless loss of Data would be, of course, which is one of the reasons that TT are not releasing any specific information.
When more specific data is released or the hackers get bored waiting ... there will be a 'run for the door'. 

[Bowdon]

I found the interview with Dido Harding very frustrating to watch.

When I was in college many many years ago, I drifted between IT subjects and Business classes. I noticed immediately that there is a difference in mentality and priority between the two types of people.

Business people dont want to know the minoe details of things, especially it seems when it comes to IT systems. They tend to implement the cheapest solution until a problem happens.

I suspect, as already been suggested, that the IT people 'on the ground' would have been asking for more security but they was probably outranked by business people.

Time and time again I see and hear of IT people being seen as a lesser class of people in companies, when the reality is they are probably the biggest asset a company has.

Leaving details unencrypted in this day and age is unforgivable, and I wonder if there is a possible class action law suit in the future about it, as if a company performs under-par then its fallen below expected standards.

I'm not a big fan of these hackers, but one good thing they do is keep the security of companies in check. I don't believe these are 'Islamic' hackers. I've heard so many hackers in the past claim to be them, but they are just trolling.

The thing we found out from the xbox and playstation hacks was that sony only had one data centre, while xbox had 3 (or more?).

These companies need to stop cutting corners. I think this will be a reality check on how TT handle this. So far they haven't handled it at all well.

[AArdvark]

@Bowden Too True.
The issue is will anyone learn from this?
Past experience says NO!

A lot of posturing will take place from the ISP's who did not get hacked and noise about the security they have.
In reality little will change because when costing out of the changes and impact is made, someone will ask "Is it worth it ?" and ask if it can be done cheaper.
By time the final decision is made the changes will be mostly peripheral and will impact 'Business' as little as possible.
These sort of threats are always seen as 'unlikely to happen' & 'happen to someone else'.
I am not sure how many events of the 'TT sort' need to happen before we move off the 'unlikely' mark. 

There is a downside to doing what is right, unfortunately.
May be if we are lucky a few companies will learn and do something useful but it is more than likely even if they do they will keep quiet about it.
Anyone found to be doing any 'real' changes will get hit by negative press announcing  they are fixing things because their security is/was bad!!!
That is the 'Lose/Lose' problem that companies also have to navigate with our press 

[Weaver]

Again, my ignorance. Why does it cost any more to do things right than wrong? ( Answer: rubbish people are cheaper? )

Again, my ignorance and naïveté.

[broadstairs]

Been out today and on the radio on my way home the news reported that TT have said that complete credit/debit card numbers were NOT stored, only partial ones so they are now saying that is at least safer I guess.

Talking to a friend of mine (in his 80's I believe) nearly got caught out by the scammers about 10 weeks ago, they did pursuade him they were TT and to install some software but he smelled a rat later in the conversation when the asked him for his credit card details to do a refund and he refused, the guy on he phone said 'Oh well your PC is now hacked anyway' and hung up. Furtunately John turned off his PC and to it to a local PC guy he trusted who disinfected it and recovered his data.

Stuart

Edit: The TT community website now confirms that the card numbers were not stored in full on the system which were hacked, and that MyAccount passwords were not accessed they say although still rpudent to change them anyway.

[guest]

Copied from comments on El Reg :

As part of the "mitigation" for the breach, TT are offering people a year's free "credit alerts" if they sign up with Noddle. What they don't appear to be telling their customers is that Noddle partly finances its "free" basic service by targeting you with advertising (you will be provided with money saving offers and vouchers online) and encouraging you to participate in their "confidence rating" service which will direct you to products provided by carefully selected third party providers, including credit cards and loan products.

For a further fee, which isn't part of the TT deal, Noddle offers its Web Watch service which provides notification if your personal data is being traded or being sold fraudulently on the Internet, chat rooms, bulletin boards and file sharing sites. However use of this service involves the transfer of your information outside the European Economic Area [specifically, to the US].

I'm not sure this is the kind of "identity protection" TT's customers might have chosen for themselves. There does seem a possibility they may be exchanging TalkTalk for StalkStalk.

[AArdvark]

It is really down to TT users to organise themselves a little and let TT know the Noddle service is not good enough.
Signing up to a 'Ad financed' service that is going to waste even more of my time would annoy me no end.

I am sure I read something somewhere that seemed to imply TT may even make money off the customers it pushes noddle's way.
(A very large number of customers who are going to use your service, handed to you on a plate must be worth something. A percentage of them will sign up for the other services, if they know no better, and that is real money for noddle !!)

TT are being very cheapskate on this, considering it is their fault at the end of the day. 

[Not a TT Customer but this still makes me angry as it is a true reflection of what TT think of their Customers = 'Mugs and worth very little.']