UPD2 Database Scare as TalkTalk UK Contract Details Left Exposed to the Public

Somebody has unwittingly exposed sensitive contract details for a TalkTalk Business UK ISP subsidiary (Greystone Telecom) to the internet by failing to prevent anonymous access via their Microsoft IIS web server. TalkTalk claims to be busy tracking the source down.

According to The Register, the vulnerable server is hosted by a Demon Internet account holder and its contents (customer data, contract prices, copies of sales orders and spreadsheets), being effectively public, have thus since been indexed by Google’s search engine. A spokesperson for TalkTalk allegedly said that as it wasn’t one of their servers then they couldn’t tackle the problem, although the ISP has since told us something slightly different.

A TalkTalk Spokesperson told ISPreview.co.uk:

“We take data protection very seriously and have launched an investigation. We have established that the data did not come from any of our servers or any of our contactors’ servers, and that our firewalls and security procedures are functioning properly.

We are working to identify the IP address from which this data was disseminated, and are in contact with the appropriate authorities.”

Being the curious types we decided to do a little digging and found the offending server in a single search, although it mostly contained maintenance contracts / orders for Greystone. For obvious reasons we’ve chosen not to mention where it is but anybody could easily track it down. Some of the information could prove to be commercially sensitive and we’re currently attempting to get further clarification from TalkTalk.

UPDATE 1:11pm

Updated the article to reflect TalkTalk’s official line.