UK ISP TalkTalk Reveals Precisely How Much Data Was Stolen in Hack

Internet provider TalkTalk has today confirmed exactly how much data was compromised in last week’s website hack and the good-ish news is that less than 21,000 unique bank account details were stolen, although 1.2 million customer email addresses, names and phone numbers weren’t so lucky.

The hack, which was the result of a combined Distributed Denial of Service (DDoS) assault and later an SQL Injection exploit against TalkTalk’s website, has kept the ISP’s online ordering system offline for over a week. Outside of that the Metropolitan Police’s Cyber Crime Unit has also made two arrests around the UK, both of which appear to involve teenage boys.

Meanwhile the ISP, which is clearly aware that their reputation has taken a significant beating (well it was the third such incident inside of 12 months), have continued to try and be as open and honest as possible with their customers and the public. Admittedly that hasn’t always gone as planned and TalkTalk’s CEO, Dido Harding, sometimes said the wrong things.

Never the less we’ve today been given more information to help clarify precisely what information was accessed by the hacker(s) and the good news is that most of TalkTalk’s customers won’t have been affected by the loss of sensitive financial data. Mind you a lot of general person data was still compromised.

Update on Cyber Attack (30th October 2015)

Since the cyber attack on our website on Wednesday 21st October 2015, we have been working to establish what happened and, importantly, understand the extent of any individual customer data stolen during this attack. In light of the potential scale of attack, our responsibility last week was to inform all customers as quickly as possible. Our investigation continues, but we now know the extent of the data accessed is significantly less than originally suspected and can confirm that the following personal data were accessed:

– Less than 21,000 unique bank account numbers and sort codes;

– Less than 28,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)

– Less than 15,000 customer dates of birth

– Less than 1.2 million customer email addresses, names and phone numbers.

As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers’ accounts in the highly unlikely event that a criminal attempts to defraud them. We also encourage all our customers to take up the free 12 months of credit monitoring alerts with Noddle, one of the leading credit reference agencies, using the code TT231.

Even though the scale of the attack is significantly smaller than initially suspected, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails. We want to make customers aware that we will not call or otherwise contact them regarding this incident and ask for bank details or other financial or personal information.

It’s important to reflect that TalkTalk doesn’t store complete credit and debit card details on their website, which is what was hacked. All of the exposed card details had a series of numbers hidden and therefore are not usable for financial transactions (e.g. 012345 xxxxxx 6789). TalkTalk’s “My Account” passwords were also NOT accessed.

Dido Harding, CEO of TalkTalk, added: “Given the potential size of this attack, we decided to be as open, honest and transparent as we could because we wanted to keep our customers informed and ensure they had the advice and support they need.

Today we can confirm that the scale of attack was much smaller than we originally suspected, but this does not take away from how seriously we take what has happened and our investigation is still on going. On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that.”

Incidentally a third person, this time a man (aged 20), has also been arrested in connection with the hack. The previous two arrests involved young teenage boys.