So it looks like TalkTalk have had their customers' database exfiltrated and it seems they have done everything wrong! It's a shame as I've found them to be a fine ISP (MUCH better than Virgin) with good speeds and impressive uptime. They haven't bugged me endlessly with the TV and mobile up-sell and the bill has remains consistently ~£15 month-1 less than Virgin ever was.
So, having watched with a mixture of annoyance and amusement here are a few thoughts;
- Don't claim that "we take customer account security extremely seriously" after a breach; behave like you believed it before the hack,
- Don't hide behind the claim that "...we have been suffering a sustained attack" - all ISPs (or any big internet-property) is under constant DDoS and other assault; it's no excuse today.
- Don't tell customers to go and update their user passwords and then have a broken website for twelve (and counting!) hours afterwards,
- Hash your customer database with a reliable method (even MD5!) and salt the hash - in 2015 this is now considered standard practice for people who "take security extremely seriously" (sic),
- Don't tell customers to "keep an eye on their bank accounts and credit card statements" - this is your fault, don't load the responsibility for the mess onto customers,
- Put data security and best practice ahead of sponsoring TV talent shows,
- Have a chief executive (who had the nerve to go on Newsnight) who actually knows how your customer database works - they're the CEO of an ISP for goodness sake!
So that's it; perhaps now ISPs will use results of proper pen-testing as marketing rather than the guff that passes for customer information currently in service provider adverts. If one company includes the word "bcrypt" on their website they'll get my business.