ISP TalkTalk Failed to Inform 4,545 Customers of 2015 Data Breach

The fallout from a 2015 cyberattack against TalkTalk’s UK website, which exposed the personal data of 156,959 customers to hackers, appears to be continuing after a new report alleges that the broadband ISP failed to correctly inform 4,545 customers that their data had been compromised (instead they were told it was NOT exposed).

The attack resulted from a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against TalkTalk’s site (here), which enabled the hackers to access the personal data belonging to 156,959 customers (15,656 of those also exposed sensitive bank account details).

Since then the ISP has been fined £400,000 by the ICO (here) for their “failure to implement the most basic cyber security measures” and several of those involved in the attack have now been jailed. Meanwhile it’s believed to have cost TalkTalk around £77 million to repair and recover from the damage.

However a new investigation by the BBC’s Watchdog TV show found that personal details for a further 4,500 customers (i.e. those who were originally told that their data was safe) could still be found online via nothing more complicated than a Google search. The details included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details.

Until very recently the ISP was continuing to tell some of those affected that their details had not been exposed.

A TalkTalk Spokesperson said:

“The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted. In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.

A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9% of customers received the correct notification in 2015.

On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

Unfortunately the 2015 breach did result in many of those affected being targeted by calls and emails from fraudsters, who would have been able to use such information in order to make their scams seem more authentic (e.g. posing as bank or ISP support agents). Admittedly there have been so many huge data breaches over the past few years that linking such activity directly back to TalkTalk itself is perhaps an exercise in futility.

The data could conceivably also be used by fraudsters to sign-up for other services, setup direct debits and thus purchase goods on the victim’s behalf.