Inquiry into TalkTalk hack has its own web security issue

Graham Cluley
Graham Cluley
@[email protected]

Oh dear.

The UK Parliament’s Culture, Media and Sport Committee has launched an inquiry “into cyber security following the recent cyber-attack of TalkTalk’s website.”

Parliament inquiry

Nothing wrong with that, of course.

Sign up to our free newsletter.
Security news, advice, and tips.

And the committee is inviting those with opinions to send in their submissions by November 23.

Ok, that sounds fair enough.

But… do you see something amiss when you go to the form where you are supposed to submit your information?

Submission form

Yes, that’s right. The webpage doesn’t use HTTPS.

In other words, anything you enter onto the page, and the files you attach, *could* be intercepted by someone snooping on your Wi-Fi connection. So there goes your name, address, email address, phone number, as well as any other information you attached in your submission…

This isn’t a way to do website security.

By the way, in case you weren’t aware, TalkTalk CEO Dido Harding is a Conservative Peer (going by the title of Baroness Harding of Winscombe).

She is married to Conservative MP John Penrose.

John Penrose was, until 2012, the Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport.

Small world isn’t it?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Inquiry into TalkTalk hack has its own web security issue”

  1. drsolly

    I can't help feeling a bit sorry for TalkTalk, because they're so completely out of their depth, and even more for Dido, who looks like a puppy that has just been swiped by a rolled-up newspaper and hasn't the faintest idea what she could possibly have done wrong and how to make the wielder of the newspaper happy.

    I'd like to give her a biscuit.

    1. furriephillips · in reply to drsolly

      Bloody hell, I wouldn't give her a biscuit! She looks like she needs a hug, a good night's sleep & maybe a new job.

      That aside, TalkTalk needs a slap around the face with a wet fish. They've been operating like incompetent fools, with their heads in the sand. Their disregard for customer data and apparent lack of interest in and nouse about security, just makes me think they really don't deserve to be in business – certainly they don't deserve and never will get mine.

  2. coyote

    'In fact, a 15-year-old could probably tell you this isn't the way to do website security – but they're probably too busy looking for SQL injection exploits and launching denial-of-service attacks to bother with this.'

    Thanks for that, Graham. As I saw the 15 year old could probably tell you …(read more than one word at a time but ended up around there), I hoped you would end up where you did in some way or another (I only thought of SQL injections though, not DoS attacks, so you went beyond my expectations there).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.