It’s very much a case of “another week, another attack” I’m afraid. Unfortunately for what is thought to be around four million people, the attack this week was at telecommunications group Talk Talk.
However, news breaks today that the attack is limited in it’s scope, and may not be as bad as previously thought. (See BBC News running the story) Instead of an attack on TalkTalk’s data servers, the attack is now believed to have been on TalkTalk’s website. This adds another layer to what is an already convoluted story, so I have summarised the key facts below:
- Any card details stolen would have been incomplete. These would not have been usable for transactions, but there is still a risk presented.
- Email addresses could have been stolen.
- TalkTalk do not know how much of the information was encrypted, or whether or not the hackers had access to as much data as they claim to have had.
- Any information issued by TalkTalk is available here, although they have been criticised for not providing enough information to customers.
- Free credit monitoring has been offered to all TalkTalk customers, and it is advisable that this is used to ensure safety. However, there is a possibility that this site has been attacked, or could become a target in the wake of the TalkTalk attack, so the best plan of attack would be to monitor your own accounts in the short term. (Update: After feedback from Daly in the comments below, it has become apparent that Talk Talk are looking into providing this, rather than anything concrete.)
- Police and “cyber crime experts” are continuing an investigation into the attack and trying to determine what data has been compromised. Again, the TalkTalk website is the most reliable source of information on this.
So while the impact of the attack could be massive, it also highlights an “inconvenient truth”, for want of another phrase. This being the fact that companies and the general public are simply not prepared enough to deal with a cyber attack. Not only is data not adequately protected in the first place, there are no clear recovery procedures in place, and since the attack TalkTalk pretty much appears as a headless chicken. This is obviously incredibly unnerving for consumers, as it seems like TalkTalk are withholding information. However the reality is far more disturbing; they actually don’t know the information themselves.
I therefore recommend that you personally create an action plan, so that you can take steps to protect yourself, should a site that holds information on you become compromised. Obviously, I cannot post a generic plan and have this apply to everybody, but actions such as changing passwords, and monitoring bank accounts should be fairly standard. The rest is variable. To help you determine whether any data on you has been taken from an exploited site, I recommend haveibeenpwned.com. This site is maintained by security researcher Troy Hunt, and is excellent for providing information on whether or not you need to take steps to protect yourself.
That’s pretty much all I have to say on the matter, as I don’t simply want to regurgriate the news or to spread false stories. Let me know if you have any queries or need help securing accounts.