First, the level of technical incompetence is staggering:<p>* Two significant breaches in 7 months
* Bank/CC and personal details stored unencrypted
* Pssswords stored in cleartext
* "We have taken all necessary measures to secure the website." That's what they said last time.<p>Second, the response is laughable:<p>* Two days since the breach was discovered, and customers still haven't been notified.
* No mention of the breach on the talktalk.co.uk home page.
* The site in question [1] says it is offline due to an attack, but doesn't like to the relevant help page [2]<p>[1] <a href="https://myaccount.talktalk.co.uk/" rel="nofollow">https://myaccount.talktalk.co.uk/</a>
[2] <a href="http://help2.talktalk.co.uk/oct22incident" rel="nofollow">http://help2.talktalk.co.uk/oct22incident</a>
Paul Moore's findings from one year ago: <a href="https://paul.reviews/value-security-avoid-talktalk/" rel="nofollow">https://paul.reviews/value-security-avoid-talktalk/</a>
Someone on the radio just said it was an SQL injection. Can it get any more comical?<p>Meanwhile TalkTalk & Met Police PR machines are in full flow talking up exotic claims of cyberjihadiism to deflect responsibility.
They have now, apparently, received a ransom demand: <a href="https://news.ycombinator.com/item?id=10438175" rel="nofollow">https://news.ycombinator.com/item?id=10438175</a>
"TalkTalk's speedy decision to warn all of its customers that their vital data is at risk suggests that this one is very serious indeed."<p>Not all its customers obviously.
I left Talktalk a month ago as a customer but I could still login to my account online to download and settle my final bills. I'm pretty sure they still store my bank account and credit card info on their end and they didn't warn me about the attack...
Do CEOs/directors of companies get hit but these data breaches, do we need to start insisting their personal/banking data is stored the same as customers so they get impacted? Too many companies just don't take security seriously enough.