UPDATE8 TalkTalk’s Reputation Hit After Hackers Steal Personal Data

Once, twice, but three times? Broadband ISP TalkTalk have admitted that their on-going website problems are the result of a “sustained cyberattack” that appears to have been launched in an attempt to steal yet more of their customers private personal and financial data.

The providers website has been suffering from problems since Wednesday and if it does turn out that hackers have breached their systems for a third time then the loss of customer trust could be significant, which might affect their ability to grow.

Most consumers do have some variable tolerance for such things, after all no system can be 100% secure and there is always a risk, but having three such incidents occur within the space of a year is another story entirely. The fact that some of them have could have impacted millions of people makes it extremely serious.

At the time of writing TalkTalk, whose website has been under attack since Wednesday (here), has not yet been able to 100% confirm the loss of personal data, but their warnings about it have been stark and the Metropolitan Police’s Cyber Crime Unit are already involved.

Dido Harding, CEO of TalkTalk, said:

“TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime, impacting an increasing number of individuals and organisations. We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here.

As a precaution, we are contacting all our customers straight away with information, support and advice around yesterday’s attack.”

The ISPs more than four million customers are now being asked to watch for suspicious activity, such as any phone calls coming from people claiming to be TalkTalk’s customer support agents.
Often fraudsters will use this tactic to try and get your password or they may request that you download software on to your computer, which will hijack it.

On top of that it’s also wise to watch for any calls that request your bank details and if this happens then put the phone down (hang-up), wait 20 minutes and then call or email the ISP directly to clarify. The wait period ensures that nobody is still hanging on an active phone line, pretending to be from the ISP.

TalkTalk’s Security Statement

We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyberattack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed:

• Names
• Addresss
• Dates of birth
• Email addresses
• Telephone numbers
• TalkTalk account information
• Credit card details and/or bank details

We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.

What we are doing

• We are contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more
• We have taken all necessary measures to secure our website following the attack
• Together with cybercrime experts, the security services and the police, we’re continuing to complete a thorough investigation
• We’ve contacted the major banks, and they will be monitoring for any suspicious activity on our customers’ accounts
• We have contacted the Information Commissioner’s Office

What you can do

• Keep an eye on your accounts over the next few months. If you see anything unusual, please contact your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and they can be reached on 0300 123 2040 or via www.actionfraud.police.uk
• If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.
• Check your credit report with the three main credit agencies: Call Credit, Experian and Equifax

Unfortunately TalkTalk has now developed a very shaky history on this front. Another breach occurred at the end of last year, although during that incident it took the ISP considerably longer to acknowledge the problem and by that time their customers were already being plagued by calls from fraudsters (here).

Later a second incident hit the Carphone Warehouse in August 2015, which also indirectly impacted customers of TalkTalk’s Mobile division (here). Suffice to say that the last 12 months have proven to be somewhat of a headache for the ISP, although we suspect that their customers have had a rather more painful time.

UPDATE 7:46am

The Government’s Information Commissioner’s Office (ICO), which is responsible for enforcement of the Data Protection Act 1998 (DPA), have moments ago confirmed that they’re aware of the situation and are starting an investigation.

UPDATE 9:56am

Some users on TalkTalk’s Wholesale / partner lines with other providers have asked if the problem affects them. The good news is that it doesn’t, the attack only struck at TalkTalk’s own retail ISP portal and thus it “doesn’t impact our partner accounts and customers,” said the ISP.

UPDATE 10:08am

Apparently even TalkTalk’s CEO doesn’t know if the data that may have been stolen is secure.

UPDATE 2:14pm

The CEO of TalkTalk, Dido Harding, confirms that she has received a ransom email from the alleged hacking group. Harding told the BBC, “It is hard for me to give you very much detail, but yes, we have been contacted by, I don’t know whether it is an individual or a group, purporting to be the hacker. All I can say is that I had personally received a contact from someone purporting – as I say I don’t know whether they are or are not – to be the hacker looking for money.”

UPDATE 25th October 2015

TalkTalk has issued a new statement to help clarify that the most sensitive financial details, such as card numbers etc., does not appear to have been stolen.

Cyber Attack Update

Following our announcement on 22 October 2015 of the significant and sustained Cyber Attack on 21 October 2015, and launch of a criminal investigation by the Metropolitan Police, the current status of our investigation is as follows:

– This cyber attack was on our website not our core systems

– We can confirm that we do not store complete credit card details on the website; any credit card details that may have been accessed had a series of numbers hidden and therefore are not usable for financial transactions eg 012345xxxxxx 6789

– TalkTalk My Account passwords have not been accessed

– We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account

– The Metropolitan Police Cyber Crime Unit criminal investigation continues

All customers should:

– Sign up to your free credit reporting service using this code: TT231. We have partnered with Noddle, one of the leading credit reference agencies, to offer 12 months of credit monitoring alerts for all TalkTalk customers.

– Change your passwords – While TalkTalk My Account passwords have not been accessed, it would be prudent to change your TalkTalk password once this service is back up and running, and any other accounts that use the same password. We will update as soon as services are restored

– Report anything suspicious – Keep an eye on your bank account and report anything unusual to your bank and Action Fraud as soon as possible. Action Fraud is the UK’s national fraud and internet crime reporting centre, and can be reached on 0300 123 2040 or via http://www.actionfraud.police.uk

– Stay vigilant – TalkTalk will NEVER call customers and ask you to provide personal details or passwords. Please take all steps to check the true identity of any organisation that calls requesting for personal information. You can call us on 0800 083 2710 or 0141 230 0707.

UPDATE 26th October 2015

At the time of writing TalkTalk’s product pages remain off-line and some investors might even be hoping that the ISPs CEO, Dido Harding, would do the same as over the past 48 hours she seems to have rediscovered a knack for saying the wrong things.

In an interview with The Guardian Harding said that the ISP’s cybersecurity was, at least in one area, now “head and shoulders better than some of our competitors and some of the media bodies that were throwing those particular stones“. Granted this was a comment made in regards to one specific area, but right now it’s not a remark they can afford to make.

Meanwhile the ISP is still unable to confirm how many of its customers have suffered as a result of the latest breach and in a separate Sunday Times interview the providers CEO tripped up again by saying that they were under no “legal obligation” to encrypt sensitive customer data.

“It wasn’t encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information,” said Harding. As above, it’s technically true but saying that doesn’t really help the situation. Customers want to hear what positive improvements will be made, not another defence of what hasn’t worked.

On the flip side we have to give TalkTalk some credit for being so open about all this, but for that to work correctly Harding may need some additional coaching from her PR team.

UPDATE 26th Oct @ 12:17pm

Just adding the video message from TalkTalk’s CEO below.

UPDATE 26th Oct @ 2:45pm

Thanks to one of our readers, Bob, for noting that the Shadow Minister for Business, Innovation and Skills, Chi Onwurah, is to ask an Urgent Question on data breaches and consumer protection on Monday 26 October 2015 in the House of Commons. She will ask about the Government’s responsibilities and policies protecting consumers and infrastructure from large scale data breaches such as that suffered by Talk Talk.

It is estimated the Urgent Question will begin 4.15pm, following a separate Urgent Question on the arrest of protesters. Timings are approximate.

http://www.parliament.uk/business/news/2015/october/urgent-question-on-data-breaches-26-october-2015/

UPDATE 26th Oct @ 7:28pm

Reports are coming in that a boy (aged 15) from Northern Ireland has been arrested under the Computer Misuse Act, which is in connection to the TalkTalk hack.

A spokesperson for TalkTalk told ISPreview.co.uk, “[We] can confirm that we have been informed by the Metropolitan Police of the arrest of a suspect in connection with the cyberattack on our website on 21^st October 2015. We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist in the ongoing investigation.”

UPDATE 30th October 2015

The boy arrested at the end of last week may have been bailed, pending a further hearing in November and some completely ludicrous coverage (here), but today’s BBC update reports that a second kid (aged 16) has now been arrested in London. The police have reportedly also searched a residential address in Liverpool.

Further details about what information was actually stolen have also been released (here).