Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

Frank Hovis

Talk Talk - Should Losing This Data Be A Crime?

Recommended Posts

All the improbably-named chief exec Dido Harding (probably an alias) has to do is look concerned and say "sorry about that" and that's her done.

The banks end up footing the bill for the resultant monetary losses, and the police have to do the investigation.

This is the third time that this has happened to TalkTalk, and recently there was the high profile case of Ashley Maddison. Charging users a fee for deleting their data. And then not deleting it. This being the given reason for the hack.

Whilst the hackers and subsequent fraudaters are clealry those directly responsible there is surely a case for these data-holding companies being liable for negligence if they have not properly protected their customers' confidential data. Not on a strict liability basis, but with the onus on them to prove that they have taken all reasonable measures to protect this data.

And if not then they are financially liable, have to pay a penalty, and the directors are criminally liable as in the corporate manslaughter cases.

Way way back a friend was sacked from his audit firm because he had a company laptop with client data on it stolen from the boot of his car. Time to apply this to corporations as well.

Share this post


Link to post
Share on other sites

It is, under the Data Protection Act. It's just the authorities will probably sit around and do bugger all!

Share this post


Link to post
Share on other sites

It is, under the Data Protection Act. It's just the authorities will probably sit around and do bugger all!

I thought the Data Protection Act was about not giving it out and removing it when no longer required, with soemthing very weak about keeping it "secure". The penalty for breaking it being trifling fines because the big offenders are usually public sector bodies.

Share this post


Link to post
Share on other sites

What's the point?

We already have loads of laws and rules which are not enforced.

Just add this to the list.

Share this post


Link to post
Share on other sites

Yes it is.

They need to get serious on this.

Board + C suite should be jail.

Pay and assets sh9uldbe clawed back to put into a compensation fund.

Companie's equitiy should be wiped out.

Share this post


Link to post
Share on other sites

Yes it is.

They need to get serious on this.

Board + C suite should be jail.

Pay and assets sh9uldbe clawed back to put into a compensation fund.

Companie's equitiy should be wiped out.

Are you being sarcastic? I was looking for big fines rather than capital punishment.

If BT (say, I have no idea) put a £50m investment annually into their IT to keep their customer data secure and TalkTalk use the bloke down the local PC repair shop on minimum wage then in the event of a hack the penalty should reflect the lack of care over the data.

Share this post


Link to post
Share on other sites

What's the point?

We already have loads of laws and rules which are not enforced.

Just add this to the list.

The ones not enforced are those that actually require police officers to be on the spot and see something taking place.

As the police numbers are low and falling and most of their work time is spent completing monitoring paperwork shoudl they actually nick anybody then the likelihood of being arrested for using your mobile phone whilst driving is so vanishingly small that the law is pointless; other than as a contributory negligence factor in the event of a crash.

Enforcement of laws which atttract massive fines however seem to be more keenly carried out.

Share this post


Link to post
Share on other sites

I thought the Data Protection Act was about not giving it out and removing it when no longer required, with soemthing very weak about keeping it "secure". The penalty for breaking it being trifling fines because the big offenders are usually public sector bodies.

The DPA requires that data not be disclosed except where legally necessary or necessary for business purposes, or where there is consent to do so. A data breach counts as an illegal disclosure.

The maximum penalty in law is a £500k fine.

The information commissionner's office is the statutory body with responsibility for investigating and enforcing the DPA. They do investigate aggressively and make strong judgements, but their legal powers are severely limited.

Share this post


Link to post
Share on other sites

I'm scared of using the internet. People will know all about me! :blink:

Share this post


Link to post
Share on other sites

Prosecuting will require an expert to prove that TT didnt do what a reasonable person would do.

Theft occurs everyday, in the office, in the shop, on line, in the streets.

Your insurance wont pay out if you didnt take reasonable steps...however, if you did, you can expect to be exonerated and paid out. Otherwise, they find you somehow complicit due to being careless.

Was TT careless?...hard to prove...meanwhile, millions are at risk..maybe they will take my advice and leave this shower and go to a proper ISP that is dedicated to providing a first rate service, not building a client farm.

Share this post


Link to post
Share on other sites

The DPA requires that data not be disclosed except where legally necessary or necessary for business purposes, or where there is consent to do so. A data breach counts as an illegal disclosure.

The maximum penalty in law is a £500k fine.

per instance?

Share this post


Link to post
Share on other sites

per instance?

Per disclosure event (not per data record).

As an example, a hospital decommissioned a set of old servers containing medial records. They hired a certified data destruction company to destroy the hard drives and issue certificates of destruction. The contractor had a new hire who stole the hard drives and sold them on ebay issuing the hospital with destruction certificates.

The hard drives were bought on ebay and found to contain confidential data by the buyer who contacted the information commissioner. The hospital were fined about £470k for that breach.

In this case, the ICO ruled that contracting out the destruction was not reasonable, and that this was an unlawful breach. The hospital should have carried out the destruction to appropriate standards in-house, or if they lacked the equipment to do so, they should have supervised the contractor at all times.

Although many records were potentially compromised in the above example, it was a single breach and the maximum penalty would have been £500k.

Share this post


Link to post
Share on other sites

Prosecuting will require an expert to prove that TT didnt do what a reasonable person would do.

Theft occurs everyday, in the office, in the shop, on line, in the streets.

Your insurance wont pay out if you didnt take reasonable steps...however, if you did, you can expect to be exonerated and paid out. Otherwise, they find you somehow complicit due to being careless.

Was TT careless?...hard to prove...meanwhile, millions are at risk..maybe they will take my advice and leave this shower and go to a proper ISP that is dedicated to providing a first rate service, not building a client farm.

They've alread been in sh1t twice this year. All for similar stuff.

They would have been given an action plan to complete on. i.e. there will be some documented targeted.

There's a good chance that credit cards will stop accepting talktalk as a vendor.

Share this post


Link to post
Share on other sites

I notice that some of the data stolen may relate to ex customers. The Information Commissioner might well prosecute them for failing to remove that data once the business relationship had ended. At the very least they should have a process for archiving the data and storing it securely on some device that can then be removed off the network. It would not require a program of genius to regularly sweep the databases removing redundant credit card and banking data leaving only a stub account for an ex customer. In days of old when disk space was at a premium such processes were the norm. Unfortunately in Big Data world where companies want to hang onto details of every last transaction then Big Data Theft is sooner or later inevitable.

Share this post


Link to post
Share on other sites

Was TT careless?...hard to prove...meanwhile, millions are at risk..maybe they will take my advice and leave this shower and go to a proper ISP that is dedicated to providing a first rate service, not building a client farm.

I would suggest that executing SQL statements passed in through a web page is "careless". YMMV.

1. Did they do a security audit on their website at any time in the past 12 months by an external firm?

2. Was customer data encrypted in the database?

3. Did they hold unnecessary customer data?

Share this post


Link to post
Share on other sites

I would suggest that executing SQL statements passed in through a web page is "careless". YMMV.

1. Did they do a security audit on their website at any time in the past 12 months by an external firm?

2. Was customer data encrypted in the database?

3. Did they hold unnecessary customer data?

Apparently TT are now claiming only the web server was hacked, none of the main databases were compromised and only part of the Credit Card details were in plain text.

Of course, this rather begs the question WTF were any credit card details or any other customer data doing on a web server, partly obscured or not. It rather raises more issues about their practises than it resolves.

As you rightly say what has probably happened is that a poorly written web application has been compromised allowing a SQL injection attack on the databases. No need to hack the database servers directly if you can establish a seemingly legitimate database connection from the Web Server and run your own queries from it. Of course, allowing any application to run dynamic SQL queries is fraught with risk which is why programmers should either be forced to use statically bound code in something such as DB2 plan or Package or only be allowed execute privileges on pre rewritten SQL stored procedures kept in the database itself (i.e. code where the parameters, access paths and types of data returned are fixed).

The reality is that when the company claimed tonight that the TT databases had not been directly hacked they were being very,very economical with the truth.

Share this post


Link to post
Share on other sites

I'm always curious about this idea of 'lost' data.

In most cases it's not lost at all, indeed more often than not it turns out there's more than one spare copy available!

Share this post


Link to post
Share on other sites

Probably "lost" is the incorrect word. Escaped sounds more like it. They need OWASP training.

Share this post


Link to post
Share on other sites

There is a job going here for you IT enterprising security bods....

https://talktalk.wd3.myworkdayjobs.com/en-US/TalkTalkCareers/job/Irlam-Relocating-to-Salford-Quays-from-April-2017/Information-Security-Officer_R0001427

Good luck with your application.......

This is provided as part of the job equipment... Self use required if you fail....

webley_38.jpg

Share this post


Link to post
Share on other sites

Apparently TT are now claiming only the web server was hacked, none of the main databases were compromised and only part of the Credit Card details were in plain text.

Of course, this rather begs the question WTF were any credit card details or any other customer data doing on a web server, partly obscured or not. It rather raises more issues about their practises than it resolves.

As you rightly say what has probably happened is that a poorly written web application has been compromised allowing a SQL injection attack on the databases. No need to hack the database servers directly if you can establish a seemingly legitimate database connection from the Web Server and run your own queries from it. Of course, allowing any application to run dynamic SQL queries is fraught with risk which is why programmers should either be forced to use statically bound code in something such as DB2 plan or Package or only be allowed execute privileges on pre rewritten SQL stored procedures kept in the database itself (i.e. code where the parameters, access paths and types of data returned are fixed).

The reality is that when the company claimed tonight that the TT databases had not been directly hacked they were being very,very economical with the truth.

You should apply for that job in my previous post....... :rolleyes:

Share this post


Link to post
Share on other sites

The reality is that when the company claimed tonight that the TT databases had not been directly hacked they were being very,very economical with the truth.

Yes, I agree with what you say.

It has been standard practice to use parametrised SQL for over a decade now on web apps and maybe stored procedures are a better solution from a security stand point. It is also standard practise to sanitize input strings although this is hard to get right given all the unicode attacks. If TT weren't doing this, as a minimum, I would suggest they should be prosecuted under the DP act. The police should already have siezed the web server code.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   26 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.