TalkTalk’s four million customers must be feeling a little frustrated, having to look to PasteBin.com for answers because Dido Harding and the company spokesman seem totally unqualified a bit incapable of giving customers the facts. And it’s frustrating for myself, being fully aware of what isn’t being said – usually a couple of definitive statements would have been enough to make educated guesses about how serious a breach is.

Didn’t the company have a Security Operations Centre? Doesn’t a functioning SOC team analyse logs that tell it exactly what SQL queries and responses were made, and therefore exactly what data was stolen? Wouldn’t an ISP have an incident response procedure for getting that information quickly? Weren’t their security analysts (and TalkTalk’s management!) aware that using a DDoS as cover for something else is an old tactic?

Obviously I can’t verify what’s on PasteBin, but that’s typically where excerpts of stolen account details are posted when crims market them. If (if!) the PasteBin entry is legit, the culprits have acquired bank account numbers, bank names, sort codes, dates of birth, full names and postal addresses. This isn’t quite enough to transfer funds directly from the bank accounts – that’s the good news – but there’s more than enough information for social engineering, making Direct Debits and perhaps taking out loans. TalkTalk’s customers can protect themselves by doing the following:

  • Regularly check bank statements, especially for erroneous Direct Debits. This is good practice anyway.
  • Be very suspicious of anyone requesting personal/security information by phone or email.
  • Be very suspicious of any links or attachments received by email, even if they appear to have been sent by TalkTalk.

TalkTalk mentioned something about signing up with Noddle, which seems a fairly reputable service, but I’d be a wary of providing account details to yet another firm, and Ghostery lists eight targeted advertising trackers for its home page – these could very well provide another attack vector.