Details of a damaging hack of British phone and broadband provider TalkTalk's customer database are emerging. Apparently, the credit card, bank details and account information of all of its 4 million customers has been stolen, leaving them wide open to fraud. TalkTalk has even received a ransom demand!
What's worse is the suggestion that these details were not encrypted, which, if true, is a massive security blunder on TalkTalk's part. If they were encrypted, it would take hackers some time to access the data (or perhaps they would not be able to). This would give customers time to prepare for attempts to use their data fraudulently. Because hackers have access immediately, their credit card details will already in use, and their bank accounts targeted. People typically use their passwords across a number of sites, and so hackers will be trying to use their passwords on all popular websites. Some good advice on steps to take if you are a TalkTalk customer can be found here.
TalkTalk has subsequently stated that "investigations so far into the cyber attack on our website on Wednesday 21st October 2015 show that the information that may have been accessed is not enough on its own to take money from your bank account". This somewhat misleading statement implies that credit card details were not obtained in full (and so credit card fraud is probably ruled out), but says nothing about customer account information (and indeed bank account details). TalkTalk customers need to be prepared for fraudsters with all their account information contacting them and pretending to be from TalkTalk - with the intention of getting them to transfer money from their bank account to a fraudster's account.
What security lessons can be learned from the TalkTalk hack? Obviously, website security is critical to get right when you are storing customer details. This is not the first time TalkTalk has been hacked, and so they have clearly failed in their security measures to prevent unauthorized access.
Securing your website isn't enough though - all customer information must be encrypted. This means that if someone manages to obtain a copy of the customer database, they can't access the data easily or quickly. If good enough encryption is used, they will never be able to do so (at least not in a time frame that will matter to customers).
Finally, passwords should never be stored - even if data is encrypted. Instead, cryptographic hashes of passwords should be stored. These are one-way algorithms that are used to convert passwords into what's called a hash - a unique sequence of characters that can't be used to retrieve the password. When a password is supplied to a system, it is hashed, and the calculated value compared to the stored hash. If the hashes are identical, the password is correct. If hackers obtain the customer data, they only have hashes, not passwords.
Cryptographic hashes aren't foolproof, unfortunately - they are vulnerable to what is known as rainbow tables - pre-calculated tables of common password hashes. This can be avoided by prepending some random characters to passwords before hashing, which means pre-calculated tables cannot be used. These random characters are known as password salts.
The primary lesson to learn from the TalkTalk hack is that website architectures should be designed with the assumption that hackers have gained access. Hackers will always find ingenious ways to break in, no matter what security measures are taken. An important aim is therefore to prevent critical data being accessible to intruders. If measures are taken to encrypt customer data and hash passwords, much of the pain of these cyber-attacks can be prevented.