UK ISP TalkTalk Admits to Security Breach of Home Engineer Data
Oh no, not again. TalkTalk has found itself in yet more hot water over their security after the ISP admitted that private information being held by its own “BrightSparks” engineers (NOT Openreach) had been compromised and strategically abused to defraud several subscribers.
At this point we’ve started to lose track of the ISPs security fails, but sadly here’s another one to add to last year’s huge cyber-attack (here) and of course the recent abuse by Wipro’s call centre staff in India (here) that may or may not be related to today’s news.
The latest situation began last November after criminals attempted to steal money from several of the ISP’s customers, often only a day after they had been visited by one of TalkTalk’s broadband engineers. During the visit the engineer told the customers to expect a follow-up call the next day, which occurred as planned, but the BBC’s Radio 4 Money Box programme notes that all was not what it seems.
Apparently the follow-up call, which confirmed accurate details of the earlier visit (i.e. the caller clearly had access to the subscriber’s information), then proceeded to trick TalkTalk’s customers into allowing them to take control of their computers by installing Malware for the purpose of carrying out fraudulent activity.
As if the situation couldn’t get any worse the ISP initially refused to acknowledge that the call had even taken place, although this was perhaps a result of the fraudsters working to cover their tracks or possibly not even using the official call centre. In a brief statement the ISP said it was “sorry” for the problems and confirmed that they had also notified the Information Commissioners Office (ICO).
Crucially it’s unclear if the recent Wipro arrests are related to today’s news and TalkTalk will not comment until the investigation has concluded. Unfortunately this isn’t the end of the story because another customer told the same radio show that they too had suffered a similar indecent, which occurred only last week. TalkTalk claims not to have received any further complaints about this issue since last year, so hopefully the one who called into Money Box is promptly moving to update them.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, Google+, Facebook and Linkedin.
« TalkTalk Joins Major UK ISPs to Sign Nuisance Calls Strategy with Ofcom
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.
NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
I’m sure I vaguely recall something similar to this in the past? Can’t say it was TalkTalk for sure though but I do remember something about customer data being carried around by engineers and left in clear sight of other customers?
TalkTalk is fit for the bin, I don’t even think Dido’s spin can save it now
KCOM, I believe.
That’s the one 🙂 thanks
TalkTalk will carry on, but they need to start learning quick. What’s this about [intricate] indecency though Mark, the auto-filters will be having your site banned.
The scary thing about this is that the fraudsters obviously had near REAL TIME access to the data; calls were made the next day; so this isnt the result of a standard database hack, but someone with consistent, daily access to TT systems.
I have Scammers who ring me and tell me that they are from Talk Talk technical department, they are able to quote MY NAME, MY ADDRESS, MY PHONE No, MY TALK TALK ACCOUNT No.
They didn’t get this information from me