STE WILLIAMS

Ransomware attacks are taking advantage of vulnerabilities that are older and less severe, a new report finds.

Ransomware attacks are taking advantage of vulnerabilities that might have gone unnoticed by security teams, with more than half of exploited vulnerabilities having a CVSS v2 score less than 8. These less-than-critical vulnerabilities, some years old, are leading to significant security challenges in the form of ransomware dangers for governments, healthcare organizations, and businesses.

A new report says that 35% of the vulnerabilities exploited in ransomware attacks are more than 3 years old — an updating lapse that looks significant in the face of the $8 billion that ransomware cost companies in 2018. The study identified the 57 most commonly used vulnerabilities in ransomware attacks. According to the research, 15 of these vulnerabilities are used by multiple ransomware families, and 17 trending vulnerabilities (those active in the wild, and with growing numbers of attacks) affect more than one technology vendor.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Why Clouds Keep Leaking Data.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/ransomware-hits-multiple-older-vulnerabilities-/d/d-id/1335930?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You didn’t tell me that you’re collecting and storing my faceprint, you didn’t tell me why or for how long, you didn’t get my written OK to do it, and you haven’t told us how long you’re retaining our biometrics or how we can get you to nuke them, another Illinois resident has said in yet another proposed facial recognition class action lawsuit based on the state’s we’re-not-kidding-around biometrics law.

This one’s against the video-sharing, face-tagging website Vimeo.

The complaint was filed on 20 September on behalf of potentially thousands of plaintiffs under the Illinois Biometric Information Privacy Act (BIPA). Illinois resident Bradley Acaley is lead plaintiff.

The suit takes aim at Vimeo’s Magisto application: a short-form video creation platform purchased by Vimeo in April 2019 that uses facial recognition to automatically index the faces of people in videos so they can be face-tagged.

Facebook’s look-alike face-tagging lawsuit

Facebook is facing a similar class-action suit over BIPA: Last month, yet another in a string of US courts reaffirmed that Facebook users can indeed sue the company over its use of facial recognition technology.

That suit – Patel v. Facebook, first filed in 2015 – has been allowed to go forward as a stream of courts have refused to let Facebook wiggle out of it… in spite of Facebook’s many attempts. Last month’s decision to let Patel v. Facebook go ahead was the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology that’s increasingly being foisted on the public without our knowledge or consent.

The suit that Facebook’s up against sounds just like the one that Vimeo’s potentially going to face if it gets affirmed as a class action: namely, both suits accuse their targets – Facebook and Vimeo – of violating Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent from the plaintiffs, collecting it and squirreling it away. In Facebook’s case, that means squirreling it away in what the company has claimed is the largest privately held database of facial recognition data in the world.

BIPA bans collecting and storing biometric data without explicit consent, including “faceprints.”

The complaint against Vimeo claims that users of Magisto “upload millions of videos and/or photos per day, making videos and photographs a vital part of the Magisto experience.”

The court document points to a Magisto website, “How Does Magisto Video Editor Work?” that touts its “so-called ‘artificial intelligence engines’ that intuitively analyze and edit video content” using “facial detection and recognition technology.”

The complaint maintains that unbeknownst to the average consumer, Magisto scans “each and every video and photo uploaded to Magisto for faces” and analyzes “biometric identifiers,” including facial geometry, to “create and store a template for each face.” That template is later used to “organize and group together videos based upon the particular individuals appearing in the videos” by “comparing the face templates of individuals who appear in newly-edited videos or photos with the facial templates already saved in Magisto’s face database.”

Magisto doesn’t just analyze the biometrics of users, the complaint asserts. It also analyzes and face-matches the biometrics of non-Magisto users who happen to appear in the photos and videos. That’s in violation of BIPA, the complaint asserts, given that Vimeo didn’t …

• First provide notification of the face templates and analysis to Illinois residents appearing in Vimeo videos.
• Obtain a written release from Illinois residents.
• Post any “written, publicly available policies” about how the scanned, analyzed and sorted videos and photos, with the associated face templates, will be retained and ultimately destroyed, nor how people could go about initiating the destruction of their biometric data.

Acaley’s history with Magisto

According to the complaint, the lead plaintiff, Acaley, downloaded Magisto in 2017 on both an Android mobile device and an Apple iPad, purchasing a one-year subscription for about $120. When that subscription expired, so too did his access to the videos he had posted through Magisto.

The lawsuit claims that immediately after uploading videos and photos to the Magisto app, Vimeo analyzed the content by automatically locating and scanning Acaley’s face and by extracting “geometric data relating to the contours of his face and the distances between his eyes, nose, and ears” – data Vimeo used to create a unique template of his face.

Using that unique face template, Vimeo located and grouped together the imagery where Acaley showed up. Vimeo also used the face template to record his gender, age, race, and location, according to the complaint – all without his permission, “all in direct violation of the BIPA.”

The suit is looking for $5,000 per class member, along with court fees.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mzcU6d5eSbI/

Adobe has rushed out fixes for three vulnerabilities in its ColdFusion web development platform, two of which have been given the top billing of ‘critical’.

The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier.

The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE).

The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass.

The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure.

Because this is an ‘out of band’ update – a polite way of saying it’s unexpected and urgent – Adobe offers only placeholder descriptions of their nature.

The solution is to look for ColdFusion 2018, update 5 (build 2018,0,05,315699), and ColdFusion 2016, Update 12 (build 2016,0,12,315717).

All three are credited to external researchers, (in above vulnerability order) ‘Badcode’ of the Knownsec 404 Team, Daniel Underhay of Aura Information Security, and Pete Freitag / Foundeo Inc.

Emergency fixes for ColdFusion products aren’t that common although it did receive one in March which, on that occasion, was being exploited in the wild.

While there’s no indication that’s happening with the latest flaws, they still deserve urgent attention.

Adobe’s next scheduled update (which may or may not contain new ColdFusion fixes) is due with Windows’ October Patch Tuesday on 8 October.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GUGdeqtu7ac/

Preet Bharara – former US attorney for the Southern District of New York – has called the 2012-2015 cyberattacks that targeted a dozen American companies, including JPMorgan Chase, “securities fraud on cybersteroids.”

On Monday, Andrei Tyurin, 35, of Moscow, became the first person to be convicted in the case, which involved the theft of data from as many as 83 million customers of JPMorgan, the biggest bank in the US.

The Department of Justice (DOJ) says that makes it one of the largest thefts of customer data from a single US financial institution in history.

In a statement released on Monday, the US Attorney’s Office for the Southern District of New York said that Tyurin pleaded guilty in Manhattan federal court to six felony counts, including wire fraud, bank fraud and conspiracy to commit computer hacking.

He could face a term of up to life in prison when he’s sentenced on 13 February, though maximum sentences are rarely handed out.

The massive hacking campaign started around 2012 and was carried out up until 2015. The network of crooks Tyurin was working with targeted other financial institutions besides JPMorgan, including brokerage firms. It also went after financial news reporters, including The Wall Street Journal, along with other American companies.

In November 2015, the US indicted three men for the hack and fraud scheme: Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein. All three are now in custody in the US, with charges pending.

According to the indictment unsealed at the time, Shalon was the mastermind of the whole operation, which prosecutors dubbed “hacking as a business model.” Shalon was the owner of US-based Bitcoin exchange Coin.mx, which he operated with Orenstein. Both are Israelis.

With the help of Aaron, an American, the group allegedly bought up the type of penny stocks so often used in pump-and-dump scams. Then, using the customer data allegedly stolen from JPMorgan, Dow Jones, Scottrade and others, they blasted out emails to dupe the financial organizations’ customers and subscribers into buying the junk.

It worked like a charm: they allegedly pocketed $2m from one deal alone. Prosecutors said the scheme generated “tens of millions of dollars in unlawful proceeds.”

According to Monday’s indictment, Tyurin took his marching orders from Shalon. The New York Times reports that Tyurin’s lawyer, Florian Miedel, said in a statement that his client was “hired by the originators and brains of the scheme to infiltrate vulnerable computer systems at their direction.”

From that statement:

He has now accepted responsibility for his particular and limited role in this far-reaching conspiracy, and hopes to return to his wife and young daughter as soon as possible.

Miedel declined to tell the Times whether Tyurin would be cooperating in the prosecution of the other men who’ve been indicted in the scheme, as did prosecutors.

Prosecutors said that Tyurin’s cyberattacks did more than just get customer details used in the pump-and-dump aspect of the criminal business: they were also used to support other illegal businesses, including unlawful internet gambling businesses and international payment processors.

Overall, the illegal businesses were a goldmine: Tyurin, Shalon, and their co-conspirators allegedly obtained “hundreds of millions of dollars in illicit proceeds,” prosecutors said.

So much for the hacking that fueled that money machine: Monday’s guilty plea spells an end to Tyurin’s years-long cyberattacking spree, said Manhattan US Attorney Geoffrey S. Berman:

With today’s plea, Tyurin’s global reign of computer intrusion is over and he faces significant time in a US prison for his crimes.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tqRY012oxXA/

If you’re a WordPress admin using a plug-in called Rich Reviews, you’ll want to uninstall it. Now. The now-defunct plug-in has a major vulnerability that allows malvertisers to infect sites running WordPress and redirect visitors to other sites.

Rich Reviews is a WordPress plugin that lets sites manage reviews internally in WordPress, and also displays Google display reviews for a business underneath a search result. Marketing company Nuanced Media released it in conjunction with plug-in developer Foxy Technology in January 2013.

The honeymoon didn’t last long, though. Updating an old blog post earlier this month, Nuanced Media reaffirmed that it had discontinued the plugin. It blamed a change in Google’s schema guidelines that stopped merchants displaying review star ratings on their own URLs.

The company’s last update to the Rich Reviews GitHub repository was over three years ago. The plugin finally disappeared from the WordPress site in March this year. It had accumulated 106,000 downloads in total.

The problem is that at least some of those downloaders (16,000, by some estimates) are still using it, and have been stung by a nasty vulnerability. The security bug allows attackers to inject malvertising code into victims’ WordPress pages, littering them with pop-up ads or redirecting them to other sites.

Wordfence, which sells a WordPress firewall, disclosed the bug on Tuesday.

The attackers rely on two shortcomings in the plugin. The first is a lack of access controls for POST requests that modify the plug-in’s options, meaning that attackers can make those requests without authorisation.

The second bug is an input validation flaw. Some of those modification requests can change the text displayed on the site, but the plug-in doesn’t validate the content of the request.

These two flaws combined mean that attackers can inject JavaScript code directly onto the website page.

Attackers are already exploiting this bug in the wild, according to Wordfence. It is being used as part of a long-running malvertising campaign that the company has reported on before, in which the attackers redirect visitors to pharmaceutical sites or directly attack their browsers.

Some WordPress users confirmed that they are already suffering from exploits based on this vulnerability.

Posting in a WordPress support forum, WordPress user @the9mm warned that the plugin had allowed malware to infect three of her four sites, redirecting visitors to malware and porn sites. She added:

Deactivating and removing the plugin fixed this.

Nuanced Media replied immediately in the same forum, explaining that it was working on a fix that would be available within the next two weeks:

We’ve been working on an overall rewrite of this plugin for a while now, but someone out there apparently wanted us to work faster on it, and decided to exploit our plugin to get some malware out there. We’re now going double-quick on it, and hope to have it back up (and newly cozy and secure) within the next two weeks.

However, Wordfence wasn’t impressed. People can’t update the plugin unless Nuanced Media reintroduces it onto the WordPress site, it said. It also criticised Nuanced Media’s “vague timeline” for a fix, which is why it decided to disclose the issue immediately so that people could ditch it.

One thing is clear: Nuanced Media knew that there was a security issue with this plug-in back in March. The plug-in page cites the reason for the removal as a security issue, although it’s not clear what that issue was.

Nuanced Media CEO Ryan Flannagan told us that it was WordPress that removed the plug-in back in March, adding:

The removal of Rich Reviews from the WordPress plugin repository removed it from our priorities, as well.

He said that the company won’t be supporting Rich Reviews in the long term, concluding:

It’s distressing to know that something we created is being used as a vector of attack: hurting businesses, frustrating website administrators, and benefiting the worst sort of scummy spammers. However, due to the recent Google Schema update and the scope of the project Nuanced Media will not be supporting the continued development of Rich Reviews.

The company is looking for developers who are interested in taking over the plug-in’s development, he added.

This raises an interesting question for the WordPress community. If a company publishes a plug-in and thousands of people use it, should it have a duty to fix known security bugs as early as possible, even if the plug-in is taken down?

Automattic, which makes WordPress, didn’t respond to our questions. However, Mikey Veenstra, the threat analyst at Wordfence who posted about the bug, did:

Fortunately, in most cases we see responsive developers who take security seriously and are prompt to address any issues. There are always exceptions like these, though.

The biggest goal for the community is to focus on educating developers about best practices, he concluded.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qE8j8GEJrAI/

Episode 10 of the Naked Security podcast is now available.

Anna Brading is back to host the show this week with Mark Stockley, Ben Jones and special guest Peter Mackenzie.

Ben explains why Emotet is back [2’54”], Peter discusses his latest research into WannaCry [18’37”] and Mark shares the latest Instagram phish [33’36”].

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nWmQT0mc684/

One of the teens behind the 2015 hack on UK telco TalkTalk has been indicted in the US over a huge cryptocurrency heist.

Elliott Gunton, 19, is facing five separate charges ranging from computer fraud and abuse to wire fraud and aggravated identity theft. Potential penalties for the offences range from two to 20 years in prison.

Gunton (AKA “Planet”) – along with co-defendant Anthony Tyler Nashatka of New York (AKA “Psycho”) – is accused of accessing cryptocurrency exchange EtherDelta and emptying user accounts. No total figure for the fraud is given in the documents (PDF), but one account lost about $800,000. The alleged offences date back to 2017.

The indictment claims that the two used a variety of techniques to get access to EtherDelta’s hosting account on Cloudflare. This included redirecting phone calls to a Google Voice account in order to access two-factor authentication checks, the document says.

They then allegedly accessed Cloudflare systems and redirected the DNS settings to an IP address registered to a UK company. By setting up a fake EtherDelta website, they could then access complete account details whenever a customer attempted to log in. These details could then be used to access and empty the actual customer accounts.

Elliott Gunton was in court in Norwich last month, when he was found guilty of money laundering and computer misuse offences.

Gunton accessed Australian telco Telstra’s systems to seize control of an Instagram account with more than a million followers. At the time of his arrest, police found a Bitcoin wallet containing more than £400,000 in the cryptocurrency earned from flogging account details on cybercrime forums. He was ordered to hand that money to police.

He was also found to be in breach of his Sexual Harms Prevention Order (SHPO) after cops found a copy of a disk cleaner and deletion tool on his laptop. SHPOs normally include a condition that prevents suspects from deleting any internet history so police can easily monitor compliance. Indecent images of children were found on his computer when the then 16-year-old was convicted of the TalkTalk attack in 2016.

Although he was sentenced to 20 months, he was immediately released due to time served on remand. He was also served with a three-and-a-half-year community order restricting his internet and software use. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/26/talktalk_hacker_indicted_in_us/

Cisco has doled out yet more security updates for its IOS and IOS XE network operating systems, which, we are obliged to remind you, is its scheduled six-monthly patch run and not the usual “oh bugger” state of affairs.

In the latest run we have a dozen patches for 13 vulnerabilities rated “high”, including ones that cause a denial-of-service condition, command injections and allows attackers to gain unauthorised access to IOS-running devices.

Oh, and one that allows guest users to gain root access to Cisco’s 800 and 1000 series Industrial Integrated Services Routers. No biggie.

Scoring 9.9 on the CVSS severity scale (Cisco doesn’t say which version), the bug “could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device” as root.

The vuln comes about through faulty “role-based access control evaluation” if your low-priv guest account requests access to a Guest OS that ought to be restricted to admins only. Full details are here on Cisco’s website, including how to check whether Guest OS is enabled on your routers.

Otherwise, the rest of the vulns, rated at CVSS 8.6 and below, were all about DoS-triggering conditions – with the exception of a digital signature bypass vuln in IOS XE. That vuln, however, was only exploitable (so Cisco said) by an “authenticated, local attacker”.

Back in May, the American switch maker patched a pile of problems that could have allowed attackers to commandeer routers for any kind of nefarious doings. In principle, the guest-as-root vuln patched today is the exact same thing.

Also in May came news of a new big-vuln-with-a-silly-but-eyecatching-name, dubbed Thrangrycat for reasons entirely beyond us.

The meat of it was that rogue IOS XE admin users could execute commands as root on the underlying Linux shell and then leverage that to tamper with the Trust Anchor FPGA module on the physical router. Trust Anchor, among other things, is supposed to ensure that system code, pre-bootloader, hadn’t been tampered with.

“Crucially, this vuln means a snoop in your network infrastructure can persist even after you think you’ve flushed them out with software patches and password changes,” we reported at the time.

Going back a further whole two months to March 2019, Cisco issued a bunch of out-of-band security patches.

Meanwhile, the rest of the world crows about Huawei equipment being a security risk, whether from pisspoor dev practices or from the espionage point of view. Get patching, folks. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/26/cisco_guest_as_root_vuln_patches/

Businesses of all sorts are increasingly relying on APIs to interact with customers in smartphone apps, but they have their own unique set of vulnerabilities.

As cyberattackers continue to take advantage of vulnerable people, processes, and technology, they are also expanding their operations beyond the usual targets. Nothing appears to be outside of their jurisdiction, and no one is 100% safe from their malicious campaigns. Although organizations are making progress in protecting themselves, as soon as one attack vector is thwarted, another quickly becomes exposed.

Today’s adversaries are focusing on APIs in particular, which are quickly becoming the new attack frontier. Recent reports suggest that by 2022, API abuses will be the vector most responsible for data breaches within enterprise web applications. This is primarily due to the extensive growth of API implementations worldwide, providing a new target that hasn’t been widely exploited yet. With this, protecting APIs is becoming more important.

Although the concepts of API security are somewhat new, the attacks that can be performed through them are not. Most organizations have been experiencing similar threats targeting their networks and Internet-facing applications for years. Now, they must focus their efforts on mobile apps, APIs, and back-end servers being targeted by similar methods as seen in the past. Before discussing the risks associated with today’s APIs, we must first understand exactly what makes them unique and vulnerable.

API-Based Apps vs. Traditional Apps
API-based apps are significantly different from traditional applications. In the past, users/visitors would access a web server via a browser, for example, and most of the “data processing” was performed on the server itself. As client devices became more varied and increasingly powerful — with faster CPUs, extensive memory, more bandwidth, etc. — much of the logic moved away from being performed on back-end servers to the front end (that is, on the client device itself) as highlighted in the graphic below.

In the modern application at the bottom of this graphic, the downstream server acts more like a proxy for the data consumed by the API-based app. The rendering component in this instance is the client that consumes the raw data, not the server itself.

Many will remember the early days of using smartphones and traditional websites when trying to reserve a flight, for example. People would open a browser on their phone and attempt to use an airline website that was designed for a large computer monitor, not a small smartphone screen. This didn’t work too well, and companies began to update their websites by making them more smartphone-friendly. Although this improved the customer experience, navigating a website and completing an airline reservation was still quite cumbersome.  

As a result, airlines, hotels, car rental companies, etc., began to develop their own mobile apps. Instead of trying to reserve a flight using a mobile-friendly version of the airline’s website via a browser on their phone, people now download and install the airline’s mobile app and use it exclusively when reserving flights directly from their smartphones. So, how is this different? 

When making a flight reservation using an airline mobile app, the app uses API calls that are interacting with back-end servers primarily to retrieve data about flight schedules, availability, pricing, seats, etc. The app is also interacting with the user, allowing the customer to specify travel dates, departure and arrival cities, seat selection, and purchase options. In this case, the smartphone is performing almost all of the processing load of the flight reservation within the mobile app itself, without the use of a browser. Although this has tremendously improved the flight reservation experience overall when using a smartphone, it raises the question: Are APIs just as vulnerable to cyberattacks as browser-based applications?

The Risks Associated with APIs
Unfortunately, APIs are also exposed to attacks and, at a very high level, API security issues exist, similar to their browser-based counterparts. However, since APIs expose the underlying implementation of a mobile app, and the user’s state is usually maintained and monitored by the client app, plus more parameters are sent in each HTTP request (object IDs, filters, etc.), some of the security issues surrounding APIs are unique. For the most part, these issues lead to vulnerabilities that can be categorized into three areas of concern:

• Exposing sensitive data
• Intercepted communications
• Launching denial-of-service (DoS) attacks against back-end servers

A Good Project with a Nobel Cause
As a result of a broadening threat landscape and the ever-increasing usage of APIs, I, along with Inon Shkedy, head of security research at Traceable.ai, have been spearheading the OWASP API Security Top 10 Project. The project is designed to help organizations, developers, and application security teams become more aware of the risks of APIs.

Here’s what makes the project important: According to the project’s site, “a foundational element of innovation in today’s app-driven world is the API. From banks, retail, and transportation to IoT, autonomous vehicles, and smart cities, APIs are a critical part of modern mobile, SaaS, and web applications, and APIs can be found in customer facing, partner facing, and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”

The OWASP API Security Project aims to develop, release, and track an ongoing top 10 list of the risks that organizations face concerning their use of APIs, similar to the OWASP Top 10 Most Critical Web Application Security Risks. From broken object-level authorization to insufficient logging and monitoring, this list rounds up the most critical API risks facing businesses while also providing example attack scenarios and recommendations for mitigating these threats. IT teams, security professionals, and developers alike would be well-advised to carefully read through this list to better understand the benefits of APIs, as well as the potential risks presented through their implementation as adversaries set their sights on this emerging target. 

Related Content:

• 7 Steps to Web App Security
• APIs Get Their Own Top 10 Security List
• What Are the First Signs of a Cloud Data Leak?
• Five Common Cloud Configuration Mistakes

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Beginner’s Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns.”

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx’s top-notch vulnerability … View Full Bio

Article source: https://www.darkreading.com/application-security/why-you-need-to-think-about-api-security/a/d-id/1335861?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Months after The Register first wrote about TalkTalk failing to close a former customer’s email address, the firm is still using the General Data Protection Regulation as an excuse for dragging its heels.

Reg reader Rose got in touch with us after reading our report of the zombie TalkTalk email account from March to complain that although her own email account had also been hacked, the ISP was messing her around.

Rose’s situation was a little trickier than our reader from March: although she had a TalkTalk email address, it was originally set up as part of a broadband subscription in her mother’s name. Recently, however, it was accessed by someone with nefarious intent.

“Someone has been able to reset my passwords for Amazon, eBay, my broadband provider, iTunes and more,” she told us. “I have now had to cancel my debit and credit cards for security reasons so, as a result, have no access to my bank accounts.”

After reading our story from March, when TalkTalk was able to shut down a compromised email address within five hours of us writing about it, Rose contacted TalkTalk – but she wasn’t happy with its response.

“Last week I phoned TalkTalk on five separate occasions, at one time spending over two hours on the phone, to no avail,” Rose told us. “I was eventually told that the Manchester team would call me back to sort the issue and cancel my email but never received a call. I then called again but was told the Manchester team only do outbound calls,” she told us, branding TalkTalk customer service “appalling”.

Rose said she was told to submit two forms of ID to TalkTalk “under the GDPR right to erasure”. That right is found in section 47 of the Data Protection Act 2018. She said that TalkTalk told her she’d have to wait 30 days, which she pointed out “obviously leaves my account open to fraud for another month”.

A TalkTalk spokesperson claimed the delay was caused by ID verification problems, telling us: “We take matters of data protection and security seriously. As such, we need to be sure that any request to update or delete an email account is valid.”

As The Reg reported in March, people may feel sceptical about sending copies of their IDs to a company with TalkTalk’s record on data protection.

“We have made several attempts to contact the account holder this month. However, as a temporary measure, we have now forced a password on the email account while we continue to liaise with the customer to get this matter resolved as soon as possible,” the spokesman added.

We also asked TalkTalk why it would take 30 days to shut down the account, and why it hasn’t sorted out its internal processes for closing down legacy email addresses on request. It did not answer. ®

Sponsored:
Technical Overview: Exasol Peek Under the Hood

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/26/talktalk_email_address_closure_fail_v2/