The fallout from a 2015 cyberattack against TalkTalk’s UK website, which exposed the personal data of 156,959 customers to hackers, appears to be continuing after a new report alleges that the broadband ISP failed to correctly inform 4,545 customers that their data had been compromised (instead they were told it was NOT exposed).
The attack resulted from a combined Distributed Denial of Service (DDoS) assault and an SQL Injection exploit against TalkTalk’s site (here), which enabled the hackers to access the personal data belonging to 156,959 customers (15,656 of those also exposed sensitive bank account details).
Since then the ISP has been fined £400,000 by the ICO (here) for their “failure to implement the most basic cyber security measures” and several of those involved in the attack have now been jailed. Meanwhile it’s believed to have cost TalkTalk around £77 million to repair and recover from the damage.
However a new investigation by the BBC’s Watchdog TV show found that personal details for a further 4,500 customers (i.e. those who were originally told that their data was safe) could still be found online via nothing more complicated than a Google search. The details included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details.
Until very recently the ISP was continuing to tell some of those affected that their details had not been exposed.
A TalkTalk Spokesperson said:
“The 2015 incident impacted 4% of TalkTalk customers and at the time, we wrote to all those impacted. In addition, we wrote to our entire base to inform them about the breach, advise them about the risk of scam calls and offer free credit monitoring to protect against fraud.
A recent investigation has shown that 4,545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologise. 99.9% of customers received the correct notification in 2015.
On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”
Unfortunately the 2015 breach did result in many of those affected being targeted by calls and emails from fraudsters, who would have been able to use such information in order to make their scams seem more authentic (e.g. posing as bank or ISP support agents). Admittedly there have been so many huge data breaches over the past few years that linking such activity directly back to TalkTalk itself is perhaps an exercise in futility.
The data could conceivably also be used by fraudsters to sign-up for other services, setup direct debits and thus purchase goods on the victim’s behalf.
“Since then the ISP has been fined £400,000 by the ICO (here) for their “failure to implement the most basic cyber security measures” and several of those involved in the attack have now been jailed. Meanwhile it’s believed to have cost TalkTalk around £77 million to repair and recover from the damage.”
I’m sure many IT bods reading this will shake their head with a familiar recognition. Its astonishing how many companies – even large ones – still don’t take security seriously. yet the costs of recovering from a breach as above dwarf any ongoing costs.
All made worse by the response of the clueless Dido Harding who didn’t resign until 19 months later.
So have the additional 4,545 customers been contacted now?
As a previous TT customer, how can I tell if this affects me?
@StillWaitingForSuperFast
If you’re a previous customer like me then the answer is no. However you can tell if you’ve been affected by the amount of scam phone calls you get from indian sounding people or robot voices saying there is a problem with your internet service and they are TalkTalk representatives who want to help you with your (non-existant) internet problem.
We’re still getting them 3 years later after leaving TalkTalk!