Darknet Diaries - Ep 4: Panic! at the TalkTalk Board Room
Episode Date: October 15, 2017Mobile provider TalkTalk suffered a major breach in 2015. The CEO tried her best to keep angry customers calm and carry on. The UK government and Metropolitan Police investigate the breach. W...e get a rare glimpse of how the CEO handles the crisis.
Transcript
Discussion (0)
Yn gyffredinol, mae'r mater o'r hack yn un sy'n bwysig i'w cwsmeriaid a'u cyhoeddi ar gyfer llawer o faterion o ffordd fwyaf. Who was, at the time of the hack, responsible for security within the company that you run?
Yes, of course.
Before I just directly answer your question, Chairman,
could I just begin by apologising again to all of TalkTalk's customers
for the concern and the inevitable uncertainty that this event has caused all of them. y rheswm a'r anodd anoddol y mae'r digwyddiad hwn wedi'i achosi.
I ateb eich cwestiwn yn gyffredinol, rwy'n gyfrifol ac yn gyfrifol am sicrhau'r cwmni.
Roeddwn i'n cyrraedd yr atgyfneriad a'r rheswm nawr.
Ond rydych chi'n y Prif Weithredwr, Iawn Harding,
a phwy sy'n rheoli sicrwydd yn y sefydliad?
Ni allwch chi wneud hynny, rydych chi'n gweithio. You're running the company. Well, I actually do think that
cyber security is a board level issue.
So as the Chief Executive, I do
think it's appropriate that I'm
responsible for it and our board takes
it very seriously. People have to be responsible.
Indeed. And
if it's a criminal attack, it is entirely
possible that
none of them are responsible for the
attack. The question is,
was the company, and that's why I say it really does come back to the chief executive and the
board, was there sufficient oversight in terms of the security policies, the resourcing of the
technology team to implement those policies, and the knowledge and understanding of best practice?
It is a board level issue rather
than an individual level issue below. Companies have to stay safe 100% of the time and the cyber
criminals only have to get lucky once. And the way the digital world works, it's like all of
your potential cyber criminals worldwide all have access to the equivalent of a Kalashnikov and a
nuclear bomb because it's cut and paste and sitting in the dark web for free.
This is Darknet Diaries.
True stories from the dark side of the internet.
I'm Jack Recider.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my
name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to
get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
Carphone Warehouse is one of the largest mobile phone retail distributors in the UK.
In the US, the equivalent would be like a T-Mobile store or a Sprint mobile store.
Except Carphone Warehouse just sold phones and weren't affiliated to any mobile provider.
In 2003, that changed and they created a mobile carrier called TalkTalk.
Now Carphone Warehouse can both sell you the phone and the subscription plan for the service.
With this combination and the
boom of cell phone usage, the company grew rapidly. They were opening more stores and either putting
their competition out of business or buying them. In 2009, Carphone Warehouse bought a competing
mobile provider called Tiscali UK and merged them into the TalkTalk network. In less than a year,
Tiscali was rebranded to TalkTalk. This also included moving all Tiscali customers to TalkTalk
and moving any infrastructure under the TalkTalk domain.
In 2010, Carphone Warehouse decided to split TalkTalk off
and have it become its own company.
The executives believed this was the wise choice
to maximize profits in the current market conditions.
De-merging TalkTalk away from Carphone Warehouse was challenging, though.
Imagine trying to split the customer database from a single company into two companies. What
customers belong in which company? And which servers would stay with Carphone Warehouse?
And which servers would go off with TalkTalk? TalkTalk continued to grow rapidly by itself
as a mobile service provider in the UK. In 2014, they had almost 4 million customers.
And near the end of 2014,
numerous TalkTalk customers were getting strange phone calls.
Here's what one of those calls sounded like.
Oh, my name is Alina, okay?
Calling you from TalkTalk Internet Service Center,
your internet service provider, okay?
Okay, right, yes.
What can I do for you?
Yeah, the reason why I give you a call today dear okay is just to inform you that whenever you
are online at the same point of time we are receiving some kinds of here and
warning junk file from your server which indicates that your internet is used by
some different different IP address, some different people.
Are you aware about this problem?
No.
I do not believe you're calling me from TalkTalk, okay?
Sir, listen to me.
I have the whole information.
Your name, your address, your city, your postcode.
Okay, you tell me that then.
You tell me my name and my postcode.
And your talk to your call number, which is very important and very secret.
Okay, well, you tell me what my talk to your address is then, please.
Your address is 68 P.T. Bridge Road, okay?
Okay.
And, hello?
Yes, I'm speaking to you.
Yes.
And your city is South Glass?
Yeah.
Hello?
Yeah, I'm listening to you.
And your postcode is C for Charlie, A for France, B for Delta, U for Amalela.
Okay?
And your doctor's number, which is very important and very secure.
Your Chok Chok account number is 1002165.
This is your Chok Chok account number, which is very important and very secure.
Scam calls are common.
But what's really strange about this particular call is that the scammer knew all the customer's details. Those details that were listed were 100% correct, including the TalkTalk
account number. A few customers did get scammed by these calls and lost significant money.
Here's one of those victims. They showed me all kinds of stuff on the computer.
Oh, madam, it's lucky that we got hold of you because the computer is a couple of days away from blowing up, basically. So they're spending like an hour grooming you, talking
to you, befriending you. They're on your side. They're helping you out. The cunning part
of the plan was they got me to take the money out of the bank myself and pass it on. So
it doesn't count as a cybercrime. So I lost £5,200. I might as well have driven a car off the end of a pier.
And here's another victim.
We've lost £8,700.
Yes, they took one lot of £4,900
and a second lot of £3,800.
It all seemed so genuine.
And it's now got to the state that you don't know who to believe. I'm 82 and my husband's
83. We're not sleeping properly. And what's more, I don't know that I'll ever trust anybody again.
The scam worked like this. The caller would establish trust with the victim, convincing
them they're from TalkTalk and only someone from TalkTalk would have their account details. The victim would then be told to share their computer screen with
a caller, and the caller would then install malware on their system, and then have them log
into their bank account. And the caller would either steal money out of their bank account
directly, or show them a false balance on their bank account, where the balance was significantly
higher than expected. The scammer would tell the victim that TalkTalk accidentally overpaid them,
and they need to take this extra money out of their bank account,
withdraw it, go to MoneyGram or Western Union, and send it to the scammer.
Victims thought they were sending the money back to TalkTalk and doing the right thing.
All through September, October, and November of 2014,
TalkTalk customers complained about these scam calls.
Because of the volume of complaints that were being raised,
TokTok decided to look into it.
They did find something strange.
TokTok notified the Metropolitan Police and the ICO.
The ICO, or Information Commissioner's Office,
is UK's data protection authority.
As a side note, the US doesn't have
an official Data Protection Authority. The Federal Trade Commission handles some data breaches,
but in England and in most of Europe, there is an official body of government that only deals
with information privacy and protection. That is called the Data Protection Authority, and the ICO
is UK's Data Protection Authority. And they report directly to Parliament. Law requires that all telecoms must report security breaches to the ICO. So TalkTalk begins telling the ICO about
the potential data breach. Two months later, TalkTalk determines the extent of the data breach
and notifies its customers. What TalkTalk found is the breach didn't occur anywhere near their
headquarters in London. Instead, the theft occurred 4,000 miles away. To save millions of
dollars, TalkTalk outsourced their customer support reps to a company in India called Wipro.
The call centers that Wipro runs are massive. They have over 5,000 employees working in them.
TalkTalk hired Wipro and... We established a new center in Calcutta, and we ramped to over a thousand staff in just six months.
Thank you, Wipro. That's a clip from before the breach. It's a TalkTalk executive doing a
promotional video for Wipro. Each of the 1,000 Wipro customer support agents only had access
to a single TalkTalk user account at a time. But out of the 1,000 agents, there were 40 of these
people that had elevated
access. These may have been supervisors or managers. Their extra privileges allowed them
to do wildcard searches on the TalkTalk customer database. They could do a search for F star,
and this would get back all names starting with the letter F, but it would only show a maximum
of 500 results. Three rogue Wipro employees gained access to these privileged logins.
They began harvesting customer accounts out of the TalkTalk database, 500 records at a time.
The data on each account included a name, home address, phone number, and account number.
In total, 21,000 accounts were harvested out of the TalkTalk database.
The rogue Wipro employee would put what he had on a USB stick
and then go to a party where he knew people who worked as phone scammers
and he would give them the USB stick.
And the deal was this.
If the scammers were successful at conning people out of money,
the rogue Wipro employee would get a cut of it.
One of the big criticisms TalkTalk received from this breach
was the way they notified their customers.
TalkTalk detected this breach in November and notified the ICO then, but didn't notify their customers until February.
Customers who were scammed in December could have been notified, but they weren't.
With the help of an ombudsman, TalkTalk did reimburse some of the people who lost money to the scam.
But there were also customers who were unable to get TalkTalk to pay.
TalkTalk proceeded to tell their customers, at TalkTalk, we take our customers' security very
seriously, and we take numerous measures to help keep our customers safe. TalkTalk did begin
blocking nuisance calls and spam calls, and claimed to be one of the only telecoms that did block
these kind of calls. And they also ran public service ads such as this. If you're at all uncertain about a call, just hang up. Make yourself a cup of tea and take
some time to think. And finally, call back on your supplier's official number. That's it.
Three simple steps to beat the scammers. Talk months go by. It's now August 2015. And suddenly, three of Carphone Warehouse's websites
go down. The websites were OneStopPhoneShop.com, e2save.com, and mobiles.co.uk. These are popular
sites where visitors could purchase new cell phones. And the next day, Carphone Warehouse sent the following letter to its customers.
Quote, of your data extremely seriously, and we have put in place additional security measures to prevent further attacks. Nevertheless, we felt it was important to let you know as soon as possible.
To reduce the risk of fraudulent activity, we recommend you consider taking the following steps.
Notifying your bank and credit card company so they can monitor activity on your account.
You can check your credit rating and make sure no one has taken a loan out and credit in your name.
You can do this by visiting Experian or Equifax."
Carphone Warehouse then went on to say that 2.5 million customer records were taken from their database. The data in these accounts included customer name, home address, and
date of birth. And there were also 90,000 encrypted credit cards taken in this breach.
Out of those 2.5 million customer records, 480,000 of them were TalkTalk records.
The two companies were still in the process of demerging, and Carphone Warehouse still had
TalkTalk customer data. Because TalkTalk customers were impacted, they had to notify the ICO of the
breach. Two days before the website went down, Carphone Warehouse discovered their sites were
being hit by a, quote, sophisticated cyber attack, end quote. As soon as it was detected, they took the website down
to contain and fix the issue. There are no other details about what kind of attack this was,
or what was hit, or how it happened. The CEO of Carphone Warehouse, Seb Janes,
issued a written apology to its customers saying,
we take the security of customer data extremely seriously,
and we are very sorry that people have been affected by this. and working out the best way to record. But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off, because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag and drop templates.
And Shopify helps you manage your growing business.
Shipping, taxes, and payments are all visible from one dashboard,
allowing you to focus on the important stuff.
So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com slash darknet. Go to
shopify.com slash darknet and start selling with Shopify today. Shopify.com slash darknet.
Three months pass. It's now October 21st, 2015. It's a Wednesday.
On this day, the TalkTalk network starts running slow.
Some customers report inability to make calls and checking email is very slow.
Around lunchtime, the TalkTalk website goes down entirely.
People couldn't check email, change account settings, or purchase new services.
Social media exploded with complaints of the outage.
Customers were becoming frustrated.
The customer support lines were overwhelmed.
The website continued to stay down all night long. The next day, TalkTalk said they had been breached,
and the media immediately started picking up the stories.
Some breaking news in the last hour.
Police are investigating after a significant and sustained cyber attack
on the website of the company TalkTalk.
We actually have the CEO of TalkTalk, Dido Harding, here.
First of all, Dido Harding, how many people are affected?
We don't know for certain, but we're taking the precaution tonight
of contacting all four million of our customers.
But you didn't do... The attack was yesterday.
The attack started yesterday.
We brought down all of our websites yesterday lunchtime.
We spent the last 24 hours with the Metropolitan Police
and various security experts trying to get to the bottom of what has happened.
But if you don't know if people's telephone numbers, if their bank accounts and so forth are involved,
would it not have been better to take the precaution as soon as it started to happen of telling all your customers?
There are cyber attacks on every website all the time.
So in the summer across England and Wales, there were 625,000 cyber attacks each month.
Has it happened to you before?
We would receive what's called denial of service attacks on our network every week.
So how do you know this one was different? What triggered this?
We didn't at lunchtime yesterday.
At lunchtime yesterday, all we knew was that our website was running very slowly.
And it had all the early warning signs of bad guys bombarding the website.
So that's why we took the website down.
We then needed to actually analyse the data
in order to identify who, if someone had got in,
what data that they had got access to.
And do you know how much, what the maximum amount of data
this cyber attack has taken?
The precaution we're taking is to communicate with all of our customers.
So that is the maximum. It's clearly a material number. And because we fear that these criminals have accessed some customers' bank details, as well as personal details, we're
taking the precaution of telling everyone and using, to be honest, the good auspices of the
BBC tonight to try and reach customers as quickly as we possibly can.
You're telling people now that people's bank account details
could have been compromised since lunchtime yesterday.
They could have been, but I didn't know.
I didn't have any inkling at lunchtime yesterday that that was the case.
So you have to have a basic amount of information
before you start communicating.
We've tried to move absolutely as fast as we can.
At the same time, in terms of your
bank account details being stolen, which is what has happened, the risk you take is that that
criminal tries to impersonate you. So what we're also doing today is we're going to be providing
all of our customers with a year's free credit monitoring as the best way of ensuring that if
somebody does try and use that information illegally,
you can catch it and that you will be safe.
The press release said up to 4 million user accounts were taken.
That's the entire TalkTalk customer base.
This may have included names, addresses, date of birth, credit card details, and bank details, email addresses, telephone numbers, and TalkTalk account number.
The TalkTalk CEO, Dido Harding, received a ransom letter.
The ransom threatened to publish the data that was stolen
unless they pay $125,000 in Bitcoin.
The ransom letter was turned over to the police and otherwise ignored.
The security teams at TalkTalk worked in shifts around the clock to investigate the attack.
They first needed to contain it, then analyze it to understand the scope, and then fix the problem so it won't happen again. What they found is that there was
a SQL injection done on the website that was formerly part of the T-Skali network. When the
competitor was bought and merged into TalkTalk, an old T-Skali site was overlooked from getting
updates. In fact, that web server and database had not been patched for three and a half years.
Rumors also spread that there was a denial-of-service attack on their main website.
If there was a denial-of-service attack, it was more of a distraction than damaging.
One news reporter described this attack like setting a fire in the front yard
while burglars enter through the back door.
The TalkTalk security team was having a hard time understanding the scope of this intrusion.
That's because there wasn't one SQL injection that happened. And there wasn't two either. And there wasn't just five,
or even ten. A later report revealed that TalkTalk was targeted over 14,000 times in October.
Attacks didn't come from just one location. They came from many places around the world.
It's almost as if it was a coordinated attack. Trying to sort through the
details of 14,000 different attacks was no easy task. Meanwhile, customers were furious, likely
because they were tired of hearing about this company being breached. This would be the third
time in a year that customer records were stolen from TalkTalk. People were upset that TalkTalk
wouldn't say what data was accessed, who was impacted,
whether the data was encrypted or not.
Customers were complaining about everything.
Slow internet speeds, disconnected calls, increased number of scams.
A flurry of complaints hit social media.
People were accusing TalkTalk of being negligent of the data and astonished that TalkTalk didn't know more details.
Rumors were everywhere.
One rumor was that Islamic extremists were
claiming responsibility for the hack. Another said Russian dissidents had taken responsibility.
Another rumor was some customers were claiming fraudulent purchases seen on their credit cards.
Many people were confused about the details and mixing up previous breaches with this one.
In the days after the breach, it was difficult and almost impossible to figure out what information
was true and what was just a rumor.
The CEO was aware of the massive amount of complaints that were going on, and four days later, had a new message for everyone.
I know it's been a worrying and frustrating time for customers since the cyber attack on TalkTalk's website on Wednesday.
Right from the start, we've done everything we can to get to the bottom of what happened as soon as possible and to keep you updated along the way. Mae'n rhaid i ni wneud yr holl beth rydyn ni'n ei wneud i ddod i'r canolbwyntio o'r hyn sydd wedi digwydd yn fuan ac i ddod â'ch gwaith yn ddiweddar.
Mae'r ymchwil cyfrifol y Met Police ac ein hunain yn dal i fynd, ond rwy'n gobeithio y gallaf i ddarparu rhywfaint o ddiogelwch i'r cwsmeriaid
wrth ddweud wrthych chi bod y canolfannau hyd at hyn wedi dangos bod y nifer o gwsmeriaid wedi cael eu llwyddo a'r amrywiaeth o ddata yn bosibl wedi'u stw'n fach na'r hyn a oedd yn ei gofyn yn y blaen. Yn y ffaith, roedd ein gwefan, ein ffront siop, os ydych chi'n hoffi, wedi'i ddynnu, ond nid oedd ein systemau allweddol.
Nid ydym yn storio data'r credid yn uned-encrypiedig ar ein sefydliad. Mae unrhyw wybodaeth o'r credid,
a allai fod wedi'i ddwyn, yn cael ei ddynnu'r 6 ddigid cyntaf ac yn gallu cael ei ddefnyddio
ar gyfer transacciynau ariannol. Nid oedd ynagyrchion fy mhrofiad wedi cael eu stwlio,
ac nid oedd ymgyrchion fankiaeth wedi cael eu cymryd, na fyddwch chi'n gadael eu rhannu ar gyfer
ysgrifennu ariann neu rhoi iddyn nhw rywun fel y gallant ddod â phwysau i'ch acri.
Gobeithio y gallwn ddarparu mwy o gyngor yn hir. Yn y cyfnod, gwnewch chi ddefnyddio'r gwasanaeth
gwybodaeth ariannol a wnaethom ei sefydlu gyda un o'r cyngorau cwarcheg ariannol ar gyfer cyfrifion ariannol. take advantage of the free credit monitoring service we've set up with one of the main credit checking agencies, Noddle. You can sign up using the code TT231. Two weeks later,
TalkTalk announced exactly what had been taken. 156,000 user records, including customer name,
date of birth, and address. 15,000 bank account numbers and sort codes, and 28,000 partial credit cards.
None of this data was encrypted.
Customers continued to be furious with TalkTalk and began cancelling their contracts and moving to other providers.
TalkTalk then began offering free upgrades for all their customers, including non-impacted ones, as an attempt to keep their customers.
But TalkTalk would not waive any cancellation fees for people who wanted out of the contract.
Two months after the breach, British Parliament interviews Dido Harding.
The Digital, Culture, Media and Sports Committee is involved to try to assess the threat there is to the public.
At the start of this episode, you heard the beginning of this hearing.
I'll describe the scene for you.
It looks like a large room somewhere in the palace of Westminster.
There is wooden paneling on the walls and the carpet is ornate and lush.
There is a large U-shaped table with 13 members from the culture committee sitting around it.
And on the other end of the U is the CEO of TalkTalk, Dido Harding, sitting at a table all by herself.
Also in the room are spectators, assistants, cameras, and microphones.
Now let's listen to a few parts of this hearing.
One of the most difficult periods for the TalkTalk board and for me personally during this attack was in the first 36 hours when we knew we'd been attacked on the 21st, I had an incident call with my directors reviewing,
and we brought down the systems, and we knew that we had been attacked,
and at that point I received a ransom demand in my personal inbox, which was very credible.
We informed all of the appropriate law enforcement agencies and spent the next sort of 18 hours
trying to understand exactly what had happened and what had been taken.
The next day on the Thursday morning, it was very clear that there was a real risk
that a material number of our customers' data had been stolen.
And it was also clear that it was going to take us several days,
in fact it took us two weeks, to know exactly what had been taken.
And so, personally, by the Thursday mid-morning,
I was clear that I needed to warn all my customers,
that I could do something about it to help protect my customers.
I was clear by the lunchtime on the Thursday that the sensible thing to do to protect my customers
was to warn all of them because I could help make them safer.
I could give them free credit monitoring.
I could warn them not to accept these scam calls.
And for completely understandable reasons,
the advice we received that Thursday afternoon from the Metropolitan Police
was not to tell our customers.
Now, I totally understand why the police wanted us to stay quiet,
because they've got a different objective.
They want to catch the criminals.
And you sort of want the police to want to catch the criminals.
And we had some very constructive discussions with them
through that afternoon and into the early evening on how to marry the conflicting objectives of a company wanting to look after their customers and the police force rightly wanting to catch the criminals.
Thank you very much. How many breaches of security have you had over the last five years?
This is the first of TalkTalk's security, TalkTalk systems, the 21st of October.
What about these other incidents that we're talking about?
So I presume you're...
They're breaches of security.
Sorry, I was asking, possibly not answering the question that the chairman posed.
What I was answering is this is the first successful cyber attack on TalkTalk systems.
And I would say that we are attacked every day
in multiple different ways.
And so these other bridges of security,
what have they been?
So I presume you'll be referring to comments in the newspapers
suggesting that there have been three attacks in the
course of the last year. Is that fair?
Yes, well it's certainly something that's in my mind, yes.
Okay, just to make sure I'm answering the right question. So Carphone Warehouse, who
is a supplier to TalkTalk and a number of other mobile retailers, was the victim of
an attack in the summer.
So it wasn't a talk-talk system that was breached, it was a third-party supplier.
And we, like many other companies, have had customers targeted by scammers.
And there was one specific incident in November last year where there was a, it was not a cyber security breach, but a personnel security issue in one of our outsource providers.
Those are the three that I'm aware of that are in the public domain.
How would you describe to your customers the difference between a cyber security attack and a personal data breach? I think that from a customer's perspective,
they don't really care how their data is stolen.
They care if their data has been stolen.
And so I think that the total set is different ways
that customer's data can be stolen.
I was trying to be specific in the answer to the chairman earlier
about a cyber-related data breach where someone has accessed, a criminal has accessed your systems as opposed to a human data breach.
So a human data breach, and that will be someone within the organisation that has stolen the data they shouldn't have done or accessed data they shouldn't have done?
Yeah, or any former, yes, or through the third party chains. Could I ask, why do you think TalkTalk is or appears to be
so especially vulnerable
to this? Because
however we look at this, there have been
a number of very serious
breaches which has caused
TalkTalk to develop the bad
reputation that it has.
Why do you think that's happened to your company in particular?
I'm afraid
I don't think that we are unique or unusual in being victims of cybercrime.
You've said that a number of times, but you appear to have it more than most.
I don't think that that's true.
You think other big companies have had three serious breaches in the last year?
Well, let's say we've had one serious breach on our systems.
I know. I feel we're sort of dancing slightly on the head of a pin there because the way you're defining the last year. Well, let's say we've had one serious breach on our systems. I know. I feel we're sort of dancing slightly on the head of a pin there
because the way you're defining the breaches.
So three separate breaches that have affected your customers
who've signed up for you.
Okay.
So you have to take responsibility.
Even if other people,
even if you would argue that you're indirectly responsible,
the relationship that these customers have is with you.
No, that's fine.
I guess what I'm actually alluding to is that because telecoms companies are the only companies that have an obligation to report these data breaches,
and we took a decision on the 22nd of October to warn all of our customers about the attack that we had just experienced.
We have been much more public than I think many other organisations have been.
Maybe they didn't need to be,
but the fact that the PwC report to Biz
says that nine out of ten major companies
have had a successful attack in the last 12 months
and that GCHQ
tell us they're dealing with 200 live incidents each month, that certainly doesn't reflect
what all of us as consumers would see in terms of communication from the companies that we
deal with. There aren't that many in the public domain.
Okay. But the cyber essentials is really some basic guidelines at relatively low cost.
Which, as I understand it, we are fully compliant with.
And as I say, we simply just have been in the...
You'll appreciate the team have been quite busy
dealing with the incident over the last two months.
We were in the process of getting accreditation.
OK. It's a bit late, though, in some ways, isn't it?
No, I think as a telecoms company,
the thing we've focused on has been a very detailed
and in-depth 10 steps to cybersecurity plan,
which we worked on through the auspices of TISAG.
So no, I don't think that we have just missed out the essentials at all.
I think quite the opposite of a very robust cybersecurity plan.
It's just I'm also being honest and human to say, of course, I wish I'd done more.
I don't know whether doing more would have prevented this attack, by the way.
But I think the thing that my customers would expect us to do is to keep building our security walls higher and higher, because the
really harsh reality is the criminals' ladders are getting longer and longer every single month.
This hearing lasted two hours, and they asked Ido 145 questions.
Ever since the day of the breach, TalkTalk had been working closely with London's Metropolitan Police.
And in fact, the Metropolitan Police did an impressive job. They were able to track down IP addresses to physical locations and connect hacker names with real names and real addresses.
And they were able to trace down some of the hackers involved. In fact, within three months
of the breach, Metropolitan Police arrested six people involved. And all six of the people were boys under 21 years old.
The first arrest was a few days after the breach, and it was a 15-year-old boy in Ireland.
This was a shock to the UK, and a few newspapers actually published his name,
and the lawyers of the boy sued those newspapers because they're not allowed to publish the names
of minors in papers. And that lawsuit's still going on today. The boy was released on bail
a few weeks later, and it's uncertain what happened to him then. We don't know if he was
found guilty or received any punishment. The second arrest was a 16-year-old boy arrested in a suburb west of London,
and he also got released on bail.
Then there was another 16-year-old boy that was arrested in Norwich, UK.
This boy claimed that he found the vulnerability on TalkTalk's website
using a tool called SQL Map,
and he posted what he found to a hacker forum.
He says he didn't download any of the data off of TalkTalk's website.
And he didn't benefit at all from doing this hack.
In fact, all he was trying to do was, quote,
I was trying to show off to my mates, end quote.
Metropolitan police looked through his computer and his iPhone,
and they found not only did he actually hack into TalkTalk,
but he was also hacking into other things like Cambridge University, Manchester
University. And when he went to court, he pled guilty to seven charges, but only two were for
TalkTalk. He was sentenced to 12 months youth rehabilitation order and lost his iPhone and
computer. Another arrest a few days later was a 20-year-old named Matthew, and he was in Staffordshire,
UK. When the police seized his computers, they found evidence
that he hacked into NOAA, NASA, Spotify, and 20 other websites. Matthew hacked into TalkTalk and
downloaded as much data as he could. He showed his friend Connor the stuff that he downloaded
from TalkTalk. And Connor got real excited. He said, hey, give that to me. I'm going to sell
that on the darknet. And Connor
started posting some of the data for sale on the darknet and started talking to people on the
darknet to try to make the sale. And that's when the police were able to arrest both Matthew and
Connor. The next arrest was an 18-year-old boy named Daniel, and he was arrested in Wales.
And he was the one that sent the ransom letter to Dido. So he was initially charged with blackmail.
When the police looked through his computers and his history,o. So he was initially charged with blackmail. When the police looked
through his computers and his history, they found that he was doing denial of service attacks on his
own college, which caused a partial outage on the local hospital. And he did other attacks against
companies and stole their data and demanded Bitcoin so it would not be published. Basically
doing ransoms on other companies as well. He was found guilty of extortion of over $300,000.
He lived in a small town in Wales, and after he was arrested, he reached out to a reporter
at Motherboard to let his voice be heard. And this is what the hacker said, quote,
There's not much to do in my town, and the internet offered me opportunities and a way
to cure boredom. When you're surrounded by people on the network that engage in these criminal acts,
it essentially becomes a norm, and it's extremely addicting.
There's nobody around to tell you what you're doing is wrong.
It's a difficult feeling to explain, but it's essentially a feeling of euphoria,
and once you've experienced it, it's something you always chase.
It's a bit like a drug, but on a whole different level, obviously.
And the more you develop your skills, the stronger the feeling becomes,
because you're able to do more things.
And what I've done is essentially going to haunt me for the rest of my life.
I know that's probably the advice you were expecting, but seriously, don't do it.
Crimes online are treated no differently from crimes in the real world.
I've had to learn that the difficult way.
You might assume you're more or less invincible, but if you do something serious enough, you will be caught and put through the justice system. End quote. And later on in 2016,
three Wipro employees were arrested for stealing data out of the TalkTalk database.
There's no talk about anyone who hacked the Carphone Warehouse database.
We still don't know how that happened or who did it.
In June 2016, the ICO concluded their investigation on TokTok and published a report.
The site says the database was out of date for three and a half years
and the attack was through the legacy Tiscali pages.
TokTok wasn't monitoring that site
and the attacker used SQL injection.
The investigation also found that in July of 2015 and September of 2015,
there were also SQL injections in the logs and unauthorized access.
So TalkTalk thought they had identified the breach the day of the attack,
but technically, it took them three months to detect this.
A year after the breach, the ICO placed a fine on TalkTalk
for $530,000 for a loss of 157,000 customer records. This was the largest fine ever imposed
by the ICO. TalkTalk paid the fine early, which allowed them to only pay $420,000. Later on in
2017, the ICO placed another fine on TalkTalk for $130,000.
This was for the Wipro breach that lost 21,000 user records. After that was announced, the class
action lawsuit against TalkTalk re-emerged. 50 people were claiming they were victims of scams
and seeking compensation. In February 2017, over a year after the breach, Dido Harding steps down as CEO.
In a quarterly shareholder's call, TokTok claimed the breach cost them $70 million.
These expenses included doing a security assessment, fixing the issues, hiring a security firm to investigate, giving free credit monitoring, giving free upgrades to their customers, and more.
They also said they lost 101,000 customers due to the breach.
Their stock fell by 11% and they lost a market share of 4%.
Since all these attacks, the UK has developed a new program,
a youth rehab boot camp for teens who have been convicted of hacking.
This is a place for teens to learn their skills are in high demand.
Mentors teach them how they can enter the job force
and continue doing the things they love, which is hacking. This breach reminds us that you can't
secure what you don't know you have. And in this case, TalkTalk forgot they had these servers.
Another problem is when you leave one server vulnerable, it makes the entire company vulnerable.
So what advice would you give to other CEOs?
I think there's two pieces of advice that I would offer.
One is that being open and honest with your customers is the right answer.
I would hate that all of the sort of public attention that TalkTalk has had
as a result of our approach of being open and honest with customers would lead other chief executives to conclude that that was the wrong thing to do.
We think it was absolutely the right thing to do, to go out and warn all four million of our customers on the 22nd of October.
We think that actually, over time, we are seeing the benefits of that in our customers telling us that they value the fact that we've been open and honest.
So that would be my first main piece of advice. The second piece is that you mustn't delegate
security. Security is a board level issue and it's a business decision because the only way you can
be 100% confident that you're not at risk of cyber crime is not to operate in the digital space and
that's the wrong answer. So you have to take risk as the chief
executive and therefore you have to know enough about what your choices are and not to delegate
and we've seen that in spades over the last two months because our risk of cyber security has
gone up simply because of the amount of media attention around talk show and so the business
risk has changed and that's required me to take decisions, which I think in other companies might be being taken by the security function.
Cybercrime is the crime of our generation.
It is growing exponentially, and we all need to know more and learn more.
And I think the TalkTalk board, probably more than any other in the country,
knows that that's the case.
You've been listening to darknet diaries for show notes and links check out darknetdiaries.com music is provided by ian alex mack and alex barbarian 5232-197-5232-98-49-3298-5332-99-49-3 299-5332-100-50-321-152