Greystone Telecom, adopted child of TalkTalk and provider of telecommunications to the business community, is unwittingly sharing customer and contract details with the world: but TalkTalk doesn’t care.
The details include customer and contract prices, copies of sales orders and spreadsheets showing how things are going at the subsidiary which TalkTalk acquired last November.
The mistake is a classic: Microsoft’s IIS – the server that comes with Windows – is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers. In this case, the documents now readily to be found on teh interwebs (and flagged up to us by an alert Reg reader) include all kinds of handy information regarding Greystone customers and what deals they’ve struck with the TalkTalk tentacle.
The offending Windows box isn’t on TalkTalk’s own network – it’s hosted on the Demon Internet subnet. This, apparently, means that TalkTalk doesn’t care.
“It’s not one of our servers, so it’s not our problem,” a TalkTalk rep told us. “Our firewalls are all secure.”
So as long as the company’s sensitive data isn’t being hosted by TalkTalk then the company has no problem with it being shared around the internet?
Given the propensity of Demon customers to hold static IPs, it seems as if this server is perhaps a contractor’s home machine, a conclusion supported by the other documents knocking around the server, which include installation manuals for MS Lync and a file of “hold music” for Manchester-based Titan Telecom.
Open FTP servers are nothing new, but Google’s omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them (though a glance at the traffic on the far side of any firewall shows there are still plenty of old-school hackers out there).
What’s remarkable is TalkTalk’s cavalier attitude to its data. Companies normally protect their customer lists and pricing information, for commercial reasons if not simply good manners, but tracking down the individual running this server is obviously too much effort for TalkTalk.