» ISP News » 

Snooping TalkTalk Security Feature Causes Customer Concern UPDATE2

Friday, April 20th, 2018 (9:00 am) - Score 21,389

A number of TalkTalk’s broadband ISP customers in the UK have raised concerns after the provider sent them an alarmist warning email, which without providing any useful details claimed that they “may have downloaded a virus on one or more of your devices” (phishing emails adopt a similar approach).

The message, which was sent several times (during different times of the day) to the same customers from a seemingly official address (info@consumer.talktalkplc.com), continued: “Unfortunately, we’ve detected a potential threat on one or more of your smartphones, tablets or computers. This may have come from an unsafe attachment, a phishing website or many other places, so we recommend you protect your devices to make sure any viruses you have are removed now.

At this point the message recommends that subscribers enable TalkTalk’s F-Secure based SuperSafe boost, which is an anti-virus software solution that is provided free with every package for use with one device (you can increase this up to 8 devices by upgrading to the Supersafe Boost but it’ll cost you +£2 extra a month). A copy of the email has been pasted below and we will continue our report beneath.


Suffice to say that the vague email resulted in a number of customers scrambling to conduct wider malware and anti-virus scans, except after several hours none of them found any such infections on their devices (note: this does not necessarily mean that a problem doesn’t exist, only that the users couldn’t find anything with their existing tools).

Related users promptly took to the ISP’s community forum (here, here and here) and began questioning whether the warnings were real or fake (phishing). Subscribers were equally curious as to how TalkTalk would even know if a virus had infected their system(s), which might raise one or two not insignificant issues about user privacy and monitoring.

TalkTalk Customer, Gondola, said:

“Well, info@consumer.talktalkplc.com is a genuine TalkTalk marketing / informational email. So based on the evidence so far it’s looking more and more like a badly conceived marketing effort that’s wasting all our time with a direct implication that a virus or malware has been downloaded.

Of course this means that the next time we receive a real warning there’s a real threat…people will ignore it. I’m not impressed TalkTalk.”

TalkTalk Customer, Marshals, said:

“The body of the email makes a specific claim that TT has detected a potential threat on one of my devices. There’s no equivocation there. So, I want to know what that potential threat is, so that I can act on it.

If this turns out to be a marketing campaign, and there never was any potential threat, TT will come out worse than when customer details were leaked. Lying to frighten your own customers does not look good.”

TalkTalk Customer, kobaltx, said:

“Today received e-mail from TT saying they had detected a virus on one of my devices and should go to my account and turn on F-Secure. This has been turned on for more than a year and account is still valid. Scanning my computer (this is the only way i contact TT) with F- Secure, Hitman Pro, Malwarebytes and MS Malware removal tool all turned up clean. I hesitate to report it as phishing as i recently renewed my contract and it may be a follow up thing.”

TalkTalk Customer, ITTroll, said:

“I received two copies of the same email today from TalkTalk … No specific details were provided and all very vague. I do not have Super Safe or Home Safe enabled. So this is either a fearmongering marketing email to upsell F-Secure, or TalkTalk have been monitoring my browsing and determined that I may have visited a potentially malicious site. Neither is particularly good.”

Initially the ISP’s community team responded to say they “can’t see anything [to say] that this came from [TalkTalk]“, although shortly after this they did confirm that it was “a genuine TalkTalk message” and after a few more hours an official statement finally dropped (below). In addition, the ISP noted that the message was only supposed to be sent once to each relevant user and that the repetition was done in error.

Official TalkTalk Statement

“One of our top priorities is keeping you and your family safe online, our Homesafe and Supersafe products helps keep you and your devices protected. Whilst we don’t monitor our customers internet traffic, our next generation DNS platform is able to identify traffic patterns from malware and potential threats on the network enabling us to notify our customers.”

We have seen other ISPs use similar detection methods before, such as when identifying whether specific subscribers are using a compromised (hacked) broadband router (these often change the DNS settings of the device and thus make a noticeable diversion in traffic flow etc.). Nevertheless in this case customers, including both those with and without HomeSafe and / or SuperSafe enabled, appeared to be receiving the same message.

The original message was quite specific in claiming that it had “detected a potential threat on one or more of your [devices],” although in the above statement they could just as easily be pointing the finger toward users who simply visited a bad website (even good websites can be marked bad by anti-virus firms, such as when they become briefly affected by a virus). Sadly TalkTalk failed to provide any useful detail to help users identify the true cause.

Some readers may recall that TalkTalk’s HomeSafe web filtering and monitoring system caused a bit of a privacy stir back in 2010 after customers noted that it was monitoring every URL (website address) they visited (here), even when they had chosen to disable it.

The ISP eventually responded to clarify that, “Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site – we are simply scanning a list of sites which our customers, as a whole internet community, have visited.”

The question now is whether or not TalkTalk have done a u-turn on the above commitment and we are still awaiting their response on that. All of this is occurring at a time when issues of internet privacy have become a hot topic in the news, not least due to the recent Facebook fiasco but also the forthcoming GDPR laws and fears of Russian hacking.

A TalkTalk Spokesperson told ISPreview.co.uk:

“We are continually investing in new ways to protect our customers and helping them to keep their devices free from malware is a top priority for us.

Our systems are able to identify devices that may have been infected with malware if they’ve connected to our network. These checks are done in the background and at no point do we monitor customers’ browsing history. Our recent awareness campaign was launched to inform our customers of the potential risks and provide tips on how to clean up their devices. We think it’s the right thing to do, so that our customers can keep their devices safe and running as well as they possibly can.”

Lest we forget that the government’s new Investigator Powers Act (IPA) does require larger ISPs to retain Internet Connection Records (ICR) for 12 months (assuming the code for this is ever finalised), which will include basic information about which IP addresses / servers / websites you’ve visited. All of this raises some interesting questions about the future approach by ISPs to user privacy and security, not least of which is where to draw the line.

However, if any ISPs are going to issue a message that runs the risk of scaremongering their users into thinking they have a virus on their computer, then at least give them a bit of useful detail about precisely what was detected so they know where to look (or even whether to bother looking at all). Otherwise such messages may end up looking too much like phishing or a poorly executed marketing exercise.

UPDATE 1:02pm

Added a new comment from TalkTalk above.

UPDATE 4:34pm

TalkTalk has tweaked their above statement slightly to clarify that they don’t identify the individual devices affected but do know it’s a device connected to their systems.

Leave a Comment
25 Responses
  1. Avatar Meadmodj

    Definitely up-selling F-Secure

  2. Avatar Sometimes but not always

    I received that rubbish too, I use Ubuntu. Perhaps the most important issue (at least for me) is that they include links in their “important emails” and in case that somebody receive a phishing one only will have the weakness of try to feds if the padlock that will see at top is not a fake. Obviously can check the address but is not for somebody who only turns the of on and off.

  3. Avatar IT Troll

    Thanks for raising awareness of this issue. The statement from TalkTalk certainly makes it sound like they have done a U-turn and are now cross-referencing detection data to identify and target specific users. I don’t see how any of this can really be done without deep inspection of browsing activity and recording more information than is required for IPA / ICR. Doing this for customers who have explicitly disabled the feature seems like a step over the line.

    • Avatar Mike

      Done via license keys and Anti-Virus database which reports malicious and potentially malicious data……… IE no different to how most Anti-Virus software works nowadays.

  4. Avatar Joe

    If the ISP can detect a genuine security issue and inform the user with meaningful information of what that issue is and what steps can be taken thats probably a good thing. Wave fluff helps no-one.

  5. Avatar Chris P

    They should make this a key feature of their offering and make more noise about it in their advertising. Consumers will then know to avoid TT if they don’t want it, or go for TT if they want virus and malware detection and built in method of removing as part of their contract offering. Plenty of people I would recommend this to as would save me an unpaid job.

    I personally wouldn’t trust or touch it, but then I don’t run windows or android and am happy with my security precautions.

    As the furture proposal for isp’s to retain meta data for 12 months is on the horizon, making that data downloadable to subscribers would be something I would be interested in as I’d like to see for myself what they see about the service I pay for.

    • Avatar Mike

      “I personally wouldn’t trust or touch it, but then I don’t run windows or android and am happy with my security precautions.”

      Dont worry you are not as elite as you think it will run on your Apple POS devices also.

  6. Avatar Ayaa H

    Sadly I have been I victim of fraud scam due to talk talk sharing my information with fraudsters..resulted in me loosing 20000 pound ..they called to say they found that a virus had attacked my internet and they offerd to send an engineer to fix it …i complained to talk talk they don’t even bother to speak to me ..the fraudsters new my name ,address mobile number and knew that I am.the account holder not my husband..
    Sadly the bank will not refund me..

  7. Avatar John

    I hope they get a big fat juicy fine for this stunt. Given their history it’s like their preying on their customers vulnerable state post hacking debacle. Utterly disgraceful and totally unacceptable.

    • Avatar Mike

      “I hope they get a big fat juicy fine for this stunt.”

      For what using anti virus software which reports malicious and potentially malicious data like almost every anti virus software on the market does nowadays?

  8. Avatar IT Troll

    With the introduction of GDPR next month, your IP address, browsing history and transactional data are all classed as personal data. TalkTalk are sharing this personal data with a third-party, Chinese firm Huawei, even though customers have opted out of the HomeSafe and Virus Alert services. So they will be doing this without their customers consent. TalkTalk could argue that they have a legitimate interest to maintain the security of their systems. However, exhaustive automated monitoring just on the off chance of finding something is not permitted. It will be interesting to see if this snooping continues post GDPR.

    • Avatar Rich

      Talk Talk are not sharing it with anyone else

    • Avatar IT Troll

      Are you sure? Full control of the scanning system and remote database sits with Chinese firm Huawei.


      But that’s OK because they stated that the data cannot be used to track back to customers. Oh wait, I just got an email…

    • Avatar Mike

      Feel free to provide some kind of proof to your ill found troll explanations.

    • Avatar IT Troll

      My proof is in TalkTalk’s own statements in response to these news articles. From your replies about serial numbers and anti-virus software you clearly don’t understand what is happening here. So TalkTalk’s services are ideal for you.

    • Avatar IT Troll

      “Done via license keys” – Mike, April 21, 2018 at 7:25 pm.
      Erm what? That’s some special comprehension right there. LOL.

    • Avatar Rich

      Thats exactly how many AV products identify specific users, (F-secure and Eset products to name 2) its even how windows update works. A serial or License key/number is checked against a database on a system. Originally designed to prevent piracy nowadays used to identify the user connecting.

      No where near as bad as the debacle with BT systems of the past like cleanfeed.

    • Avatar IT Troll

      That is true, but is nothing to do with this article and what TalkTalk are doing. People who received the email are not running AV products which would report back to TalkTalk. TalkTalk are inspecting Internet activity at the networking level.

    • Avatar Kelvin

      You are indeed correct rich that is exactly how the Talk Talk product works. I decided to enable it and then deliberately subject it to EICAR and WICAR testing, while network monitoring outbound packets and where they were being routed. Sure enough a few hours later i got the email and after investigating the packets and email come from a F-Secure Labs Inc server which probably explains while lower tier at TT knew little about it in the beginning.

      So nothing to worry about at all and just an AV product with heuristic (or as TT put it potential risk) built in.

      Theres no need for any foil hats or misinforming on this one.

    • Avatar IT Troll

      Which TalkTalk product are you taking about? SuperSafe is the device-based AV which is provided by F-Secure. HomeSafe is the network-level monitor/filter provided by Huawei. People who received the virus alert email had opted out of both of these products and certainly didn’t have TalkTalk’s AV installed.

    • Avatar Kelvin

      Both Homesafe and Supersafe have AV options and both are powered by F-Secure as detailed on the TT homesafe and Supersafe web pages.

      I will be going away later today on holiday for a week so i will be unable to test or answer any further queries you have about either product. From my testing the F-secure parts function absolutely fine.

      If are a TT user perhaps you could conduct further testing while i am away and any further questions you have can be discussed when i return.

    • Avatar IT Troll

      Hope you had a good holiday. Please provide a link to the TT HomSafe pages which details that HomeSafe includes AV from F-Secure. As far as au can see and according to all previous news reports it does not. The following is copied from the TT website.

      Security features can be a bit confusing. HomeSafe and SuperSafe are two separate tools that fight threats in different areas, and we always recommend you use them together for the best security.

      HomeSafe is a family-friendly web filter for your home Wi-Fi, blocking inappropriate content (KidSafe), as well as sites that could harbour malware (Virus Alerts), for any device that’s connecting to it. It’s free, there’s nothing to download, and you just activate it in My Account.

      SuperSafe protects a specific device wherever it’s online, fighting viruses that try to infect your devices and securing your banking and shopping.


  9. Avatar Ray Woodward

    He he, can always rely on Talk Talk to liven up a dull day 🙂

  10. Avatar Richard Woolf

    We received the above email around about 21st May. I was in hospital at the time so my wife called TalkTalk who transferred her to a 3rd party AW*Anomlatech who persuaded her t pay £99 to solve the ‘problem;. So it appears to have been fraudulent. Too late now, nearly 4 months later, to take it up with TalkTalk and I only recently agreed a new contract with them. Appalling

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.50 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Onestream £22.99 (*34.99)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2742)
  2. FTTP (2675)
  3. FTTC (1769)
  4. Building Digital UK (1723)
  5. Politics (1633)
  6. Openreach (1593)
  7. Business (1404)
  8. FTTH (1330)
  9. Statistics (1223)
  10. Mobile Broadband (1195)
  11. Fibre Optic (1048)
  12. 4G (1028)
  13. Wireless Internet (1011)
  14. Ofcom Regulation (1004)
  15. Virgin Media (993)
  16. EE (679)
  17. Sky Broadband (662)
  18. TalkTalk (654)
  19. Vodafone (651)
  20. 5G (487)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact