Home
 » ISP News » 
Sponsored

UPDATE8 TalkTalk’s Reputation Hit After Hackers Steal Personal Data

Friday, October 23rd, 2015 (7:10 am) - Score 2,634
internet privacy and security uk isp

Once, twice, but three times? Broadband ISP TalkTalk have admitted that their on-going website problems are the result of a “sustained cyberattack” that appears to have been launched in an attempt to steal yet more of their customers private personal and financial data.

The providers website has been suffering from problems since Wednesday and if it does turn out that hackers have breached their systems for a third time then the loss of customer trust could be significant, which might affect their ability to grow.

Most consumers do have some variable tolerance for such things, after all no system can be 100% secure and there is always a risk, but having three such incidents occur within the space of a year is another story entirely. The fact that some of them have could have impacted millions of people makes it extremely serious.

At the time of writing TalkTalk, whose website has been under attack since Wednesday (here), has not yet been able to 100% confirm the loss of personal data, but their warnings about it have been stark and the Metropolitan Police’s Cyber Crime Unit are already involved.

Dido Harding, CEO of TalkTalk, said:

TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime, impacting an increasing number of individuals and organisations. We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here.

As a precaution, we are contacting all our customers straight away with information, support and advice around yesterday’s attack.”

The ISPs more than four million customers are now being asked to watch for suspicious activity, such as any phone calls coming from people claiming to be TalkTalk’s customer support agents.
Often fraudsters will use this tactic to try and get your password or they may request that you download software on to your computer, which will hijack it.

On top of that it’s also wise to watch for any calls that request your bank details and if this happens then put the phone down (hang-up), wait 20 minutes and then call or email the ISP directly to clarify. The wait period ensures that nobody is still hanging on an active phone line, pretending to be from the ISP.

TalkTalk’s Security Statement

We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:

  • Names
  • Addresss
  • Dates of birth
  • Email addresses
  • Telephone numbers
  • TalkTalk account information
  • Credit card details and/or bank details
We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.
We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.

What we are doing

  • We are contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more
  • We have taken all necessary measures to secure our website following the attack
  • Together with cybercrime experts, the security services and the police, we’re continuing to complete a thorough investigation
  • We’ve contacted the major banks, and they will be monitoring for any suspicious activity on our customers’ accounts
  • We have contacted the Information Commissioner’s Office

What you can do

  • Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via www.actionfraud.police.uk
  • If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.
  • Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax

Unfortunately TalkTalk has now developed a very shaky history on this front. Another breach occurred at the end of last year, although during that incident it took the ISP considerably longer to acknowledge the problem and by that time their customers were already being plagued by calls from fraudsters (here).

Later a second incident hit the Carphone Warehouse in August 2015, which also indirectly impacted customers of TalkTalk’s Mobile division (here). Suffice to say that the last 12 months have proven to be somewhat of a headache for the ISP, although we suspect that their customers have had a rather more painful time.

UPDATE 7:46am

The Government’s Information Commissioner’s Office (ICO), which is responsible for enforcement of the Data Protection Act 1998 (DPA), have moments ago confirmed that they’re aware of the situation and are starting an investigation.

UPDATE 9:56am

Some users on TalkTalk’s Wholesale / partner lines with other providers have asked if the problem affects them. The good news is that it doesn’t, the attack only struck at TalkTalk’s own retail ISP portal and thus it “doesn’t impact our partner accounts and customers,” said the ISP.

UPDATE 10:08am

Apparently even TalkTalk’s CEO doesn’t know if the data that may have been stolen is secure.

UPDATE 2:14pm

The CEO of TalkTalk, Dido Harding, confirms that she has received a ransom email from the alleged hacking group. Harding told the BBC, “It is hard for me to give you very much detail, but yes, we have been contacted by, I don’t know whether it is an individual or a group, purporting to be the hacker. All I can say is that I had personally received a contact from someone purporting – as I say I don’t know whether they are or are not – to be the hacker looking for money.”

UPDATE 25th October 2015

TalkTalk has issued a new statement to help clarify that the most sensitive financial details, such as card numbers etc., does not appear to have been stolen.

Cyber Attack Update

Following our announcement on 22 October 2015 of the significant and sustained Cyber Attack on 21 October 2015, and launch of a criminal investigation by the Metropolitan Police, the current status of our investigation is as follows:

– This cyber attack was on our website not our core systems

– We can confirm that we do not store complete credit card details on the website; any credit card details that may have been accessed had a series of numbers hidden and therefore are not usable for financial transactions eg 012345xxxxxx 6789

– TalkTalk My Account passwords have not been accessed

– We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account

– The Metropolitan Police Cyber Crime Unit criminal investigation continues

All customers should:

– Sign up to your free credit reporting service using this code: TT231. We have partnered with Noddle, one of the leading credit reference agencies, to offer 12 months of credit monitoring alerts for all TalkTalk customers.

– Change your passwords – While TalkTalk My Account passwords have not been accessed, it would be prudent to change your TalkTalk password once this service is back up and running, and any other accounts that use the same password. We will update as soon as services are restored

– Report anything suspicious – Keep an eye on your bank account and report anything unusual to your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and can be reached on 0300 123 2040 or via http://www.actionfraud.police.uk

– Stay vigilant – TalkTalk will NEVER call customers and ask you to provide personal details or passwords. Please take all steps to check the true identity of any organisation that calls requesting for personal information. You can call us on 0800 083 2710 or 0141 230 0707.

UPDATE 26th October 2015

At the time of writing TalkTalk’s product pages remain off-line and some investors might even be hoping that the ISPs CEO, Dido Harding, would do the same as over the past 48 hours she seems to have rediscovered a knack for saying the wrong things.

In an interview with The Guardian Harding said that the ISP’s cybersecurity was, at least in one area, now “head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones“. Granted this was a comment made in regards to one specific area, but right now it’s not a remark they can afford to make.

Meanwhile the ISP is still unable to confirm how many of its customers have suffered as a result of the latest breach and in a separate Sunday Times interview the providers CEO tripped up again by saying that they were under no “legal obligation” to encrypt sensitive customer data.

It wasn’t encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information,” said Harding. As above, it’s technically true but saying that doesn’t really help the situation. Customers want to hear what positive improvements will be made, not another defence of what hasn’t worked.

On the flip side we have to give TalkTalk some credit for being so open about all this, but for that to work correctly Harding may need some additional coaching from her PR team.

UPDATE 26th Oct @ 12:17pm

Just adding the video message from TalkTalk’s CEO below.

UPDATE 26th Oct @ 2:45pm

Thanks to one of our readers, Bob, for noting that the Shadow Minister for Business, Innovation and Skills, Chi Onwurah, is to ask an Urgent Question on data breaches and consumer protection on Monday 26 October 2015 in the House of Commons. She will ask about the Government’s responsibilities and policies protecting consumers and infrastructure from large scale data breaches such as that suffered by Talk Talk.

It is estimated the Urgent Question will begin 4.15pm, following a separate Urgent Question on the arrest of protesters. Timings are approximate.

http://www.parliament.uk/business/news/2015/october/urgent-question-on-data-breaches-26-october-2015/

UPDATE 26th Oct @ 7:28pm

Reports are coming in that a boy (aged 15) from Northern Ireland has been arrested under the Computer Misuse Act, which is in connection to the TalkTalk hack.

A spokesperson for TalkTalk told ISPreview.co.uk, “[We] can confirm that we have been informed by the Metropolitan Police of the arrest of a suspect in connection with the cyberattack on our website on 21st October 2015. We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist in the ongoing investigation.

UPDATE 30th October 2015

The boy arrested at the end of last week may have been bailed, pending a further hearing in November and some completely ludicrous coverage (here), but today’s BBC update reports that a second kid (aged 16) has now been arrested in London. The police have reportedly also searched a residential address in Liverpool.

Further details about what information was actually stolen have also been released (here).

Add to Diigo
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
31 Responses
  1. Avatar FibreFred

    Very bad news, three times in a year might mean easy pickings

    I wonder how long it will be before the marketeers start using this

    “And unlike talktalk we have kept your data safe”

    • I doubt any sensible ISP in this country, especially the big boys, would risk selling themselves in that way. Nearly everybody in this market has suffered a security lapse at some point or another and no company or ISP can truly claim 100% security, such a thing does not and never will exist.

    • Yes, it would tend to be a red rag to a bull if another ISP tried that tack.

    • Avatar themanstan

      I suspect that ICO will be somewhat ruthless if they find that TT hasn´t improved its security arrangements since last time…

    • Avatar Bob2002

      Experian, one of the largest credit agency data brokers in the world, got hacked recently in the US – “It exposed up to 15 million people who may have had their names, addresses, and social security, driver’s license and passport numbers stolen. The license and passport numbers were in an encrypted field, but Experian said that encryption may also have been compromised.”

      Having said that, three times in a year is a joke …

  2. Avatar FibreFred

    It’s such a problem these days the bigger the supplier the bigger the honey pot. Yes I think with a count of three the ICO will be quite hard on them.

    I think something needs to change really to make this info less valuable, credit card info and address and phone number is of great value, I wonder how valuable just an address and phone number is these days if the credit card info could be replaced with something else

    • Avatar FibreFred

      What I find amazing is that the CEO can’t confirm if the customer data is encrypted 😐

    • lol, my guess would be that by “not confirming” it, she just has! 🙂

    • Avatar FibreFred

      Hmmm I think this will be a challenging few months for TalkTalk…. and for Dido, three times on her watch now, people are always looking for swords and people to fall onto them.

      I thought TalkTalk were investing in the latest technology, how about some that has been around for years…. encryption! We all know how persistent and clever hackers are (in fact we don’t we probably don’t know the half of it) but… let’s not make it even easier for them if they get in?

  3. Avatar dragon

    I wonder what data (If any) was leaked about end user customers of providers that use TT wholesale, I’d have hoped that was a different unconnected database and thus not at risk.

    However TT would have to have some data on these customers in order to have arranged the line installation.etc

  4. Avatar PeterM

    I don’t understand why companies need date of birth information. Why not ask the customer to simply confirm that they are 18 or that their age falls into a certain range.

    • Avatar FibreFred

      Yeah I think the whole way of verifying and storing info needs looking at, because this sort of thing gets more and more frequent and as we’ve seen you can’t rely on companies to protect all of this data stored together. There needs to be some radical change to the way this is done to make it less attractive because even if the Top 100 companies could prevent such attacks (and that’s a big if) they’ll just go for easier targets.

  5. Avatar dragoneast

    Is there a conundrum: money laundering and copyright theft regulations (to beat criminality and improve security) require ever more personal information to be disclosed (and stored) to show we are are who we say we are, whilst the ever greater amount of such information itself becomes a source of data theft (more criminality and defeats security)? Modern technology hasn’t changed one thing: the left hand still doesn’t know what the right hand is doing.

    • Avatar Steve Jones

      You are clearly correct. The more each company needs to know about us, the more likely that data is to be compromised.

      Just about the only solution to this is some form of one-time authentication device which you carry around. It’s inconvenient and tedious of course, and it needs authentication itself. However, some banks already insist on every on-line transaction using one-time authentication devices. It would be nice to have a single such device, but designed in such a way that it can be used by multiple companies but designed in a way that means that no company can compromise the system.

      The device really ought to use biometric data (thumbprint?) and be designed in such a way that it can’t be spoofed.

      Of course it’s also necessary to deal with situations where the device is lost/forgotten and so on.

      In any event, this needs some serious thinking and just requiring people to use ever less memorable passwords and personal information is wrong.

      nb. one tip on those “personal question” things is never to use real data. For example, if you are asked what school you first went to, invent a fictitious one. Never use information which can be obtained from public sources.

    • Avatar dragoneast

      It’s the old argument about ID Cards (electronic or otherwise) isn’t it? As ever, we’ll choose the old British fudge which avoids the Big Brother approach, but has lots of little brothers all collecting and holding more and more personal information, and hope for the best. No doubt the ICS will come in after the event and tell us what we should all be doing, and might even make a few bob for the Treasury on the side. Then we’ll all carry on as before.

    • Avatar dragoneast

      typo fault again: ICO not ICS!

  6. Avatar FibreFred

    This might not be over yet either, apparently TT have received a ransom email that threatens to release the data if not paid and also a threat to bring their service down 😐

  7. Avatar PeterM

    I think it would be much better if companies didn’t hold any customer bank or credit card details at all.
    The customer could pay directly from their Bank account using BACS, Counter Credit or Direct Debit and just quote a reference number as proof of payment.
    For credit card payments the Credit Card service provider could simply offer a third party service.

  8. Avatar FibreFred

    As the apparent leaked data is now showing up on the net there are unconfirmed reports it was a DDOS and SQL injection combo.

    If its an SQL injection attack then on my word…. that would be very embarrassing

    • Avatar Colin

      Tonight on the news they said that The shares in talk talk have dropped and investors and customers trust as also waned. So I wonder are we seeing the final weeks or months of Talk Talk?

      TalkTalk in the past swallowed up struggling companies like tiscail, Home choice ect. Now could we see one of the big ISPs knocking on the door of TalkTalk? I’ve heard rumours that virgin media would like to get into IPTV services, so they could be one who will be interested in TalkTalk’s Infrastructure and customer base. And Don’t forget sky, they’ve got some money to spend and again don’t take kindly to competition.

    • Avatar FibreFred

      It is very serious indeed but I’d like to think they’ll weather the storm and get their numbers back over time but then its hard to imagine a customer that would want to stay after this?

      What do TalkTalk have that is worth staying for/risking a fourth, fifth, sixth data breach for?

      When Sony had their breach you couldn’t just swap to another Playstation Network provider, but you can change broadband/TV/Phone provider with ease.

  9. Avatar Colin

    I would switch to sky or plusnet/bt tomorrow, but I just renew Contract for 18 months and a new 12 month Mobile contract. There must be loads like me out there who are stuck!

    I wonder if ofcom will step in and forced talktalk to allow us to switch without penalties? Here’s hoping

    • Avatar FibreFred

      That question was asked to dido direct and she said now was not the time to sweep aside t & c ‘s in that manner and they need to see who has been affected first but would take customer cases on a case by case basis.

      That said I’m sure there terms state they are not responsible for loss of data, no doubt the same for all isps and many other companies operating online

      Making people stay would only damage them further though if you have been affected

  10. Avatar dragoneast

    Can’t help feeling that Dido was spending rather too much time telling BT how to run its business (or at least the rest of us) and rather too little watching, and understanding, what was going on in her own patch. She isn’t the first, and won’t be the last to suffer from that little problem, though.

    • Avatar Big Geoff Mitchell

      Yeah, I think it is fair to say that Dido and Talk Talk will keep their heads down for a while.

    • Avatar TheFacts

      And paid £3000/hour.

    • Avatar FibreFred

      She is the master of spin 🙂 apparently it’s “good news” that the amount of data stolen isn’t as bad as first believed even though it’s the same details they previous stated could have been stolen. It’s a bonus no one can take money direct from your bank, let’s not dwell on the fact that what has been stolen is identity theft gold and for years will allow crooks to apply for loans and such like and trash your credit rating

  11. Avatar themanstan

    Nice… Sunday Times interview has summed up their position… we did the least required by law… should have been followed up with a “we will review this going forwards”…

  12. Avatar Captain.Cretin

    Douglas Adams had a plot line called “The Hot Potato” in one of his books, about something that could bring you good luck in the short term, but had to be passed on before it brought even greater bad luck.

    TT bought the hot potato that was Tiscali, which bought several hot potatoes in the form of smaller UK ISPs, and carried on with their chaotic billing and accounts systems.

    No surprise that the hot potato is now causing bad luck.

    Better to let it die than pass it on to someone else.

  13. Avatar Captain.Cretin

    TT security, so good a PFY can hack it.

  14. Avatar Julie Garwood

    Attention Everybody, I am Julie Garwood by names, from UK. I want use this medium to say a special thanks to this awesome company who made it possible for me to improve my business. I was stuck in a financial crisis and i needed to refinance my business, i tried seeking loans from various loan firms both private and corporate but never with success and most banks declined my credit, until i met this company Garzon Firms who helped me out with a loan sum of ($570,000) without any stress i truly want to thank Mr Garzon Wilson who made it possible and helped me through and ensure i got my loan. So i want use this means to advise everyone out there searching for a loan that if you must contact any firm with reference securing a loan with low interest rate of 2% and better repayment schedule to contact Mr Garzon Wilson at (arzonfinanceservic1@gmail.com) for a fast, safe and easy loan today…

    Julie Garwood

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £15.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: FLASH19
  • Vodafone £22.00 (*24.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.45
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Origin Broadband £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2405)
  2. FTTP (1993)
  3. FTTC (1595)
  4. Building Digital UK (1546)
  5. Politics (1340)
  6. Openreach (1333)
  7. Business (1179)
  8. Statistics (1041)
  9. Mobile Broadband (965)
  10. FTTH (962)
  11. Fibre Optic (941)
  12. Ofcom Regulation (877)
  13. Wireless Internet (861)
  14. 4G (847)
  15. Virgin Media (808)
  16. Sky Broadband (574)
  17. TalkTalk (556)
  18. EE (555)
  19. Vodafone (469)
  20. Security (394)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact