Security Fail Allowed TalkTalk Customer to See Different Person’s Account UPDATE
One of TalkTalk’s UK broadband ISP customers, who asked to remain anonymous, has criticised the provider for being “staggeringly uninterested” after he reported a security flaw, which persisted for the best part of a week and enabled him to see the private personal account details of a different subscriber.
The customer had only recently joined the provider, but upon logging in to TalkTalk’s online account section on 5th March 2021 he was shocked to find that a different customer’s account details were being displayed. “This seems like a major breach of security regulations and something TalkTalk urgently must fix, I’ve contacted them, and they don’t seem very concerned,” he said.
According to the customer, he raised the “totally unacceptable” issue with TalkTalk’s customer care team on Twitter, but they just kept “repeating that I will be able to see my details when the account is activated, which rather misses the point, I think. I have repeated this a few times to them, but they keep saying the same thing.” The matter has also been raised with the Information Commissioner’s Office (ICO).
We’ve seen issues like this crop up with other providers from time to time too, and they’re often a symptom of isolated database errors. “As of this morning [9th March], I can still login and see this other person’s details. It’s a bit odd though as, on login, the page reloads several times, so it does seem like something is technically wrong,” added the customer.
ISPreview.co.uk raised the issue with TalkTalk and was promptly told that it was being investigated as a “matter of urgency and high priority.” After a couple of days the ISP was able to confirm that there had been an anomaly with one customer’s account (albeit affecting private data for two customers), but they added that it was a one-off error and has now been resolved. Sadly, it took an intervention from us before this happened.
The ISP made clear that there was no external penetration of their systems (hacking), nor any insider threat or intrusion, and the customer’s details were not stolen (we should add that no financial details were ever exposed).
A TalkTalk Spokesperson said:
“We have investigated the incident and identified a one-off technical error that led to a limited amount of one customer’s data being visible to the customer ISP Review contacted us about. This issue has now been fully resolved. We are in contact with and have apologised directly to the customer concerned.”
We queried how customers should go about the business of reporting future security issues to the provider and were advised that they should use TalkTalk’s regular customer channels (telephone, email, live chat and Twitter), even though that didn’t work too well this time around. TalkTalk added that keeping their customers’ data secure was a top priority, and they would always expedite the handling of such enquiries.
UPDATE 29th March 2021
We’ve been in contact with the TalkTalk customer who had their account exposed, and he claims to have been contacted by 11 of the provider’s other customers about the issue, which suggests that the breach was wider than the ISP indicated. The customer concerned is now considering legal action.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Jurassic Fibre Build FTTP Broadband to Sherborne in Dorset
Latest UK ISP News
- FTTP (5539)
- BT (3518)
- Politics (2543)
- Openreach (2300)
- Business (2268)
- Building Digital UK (2248)
- FTTC (2045)
- Mobile Broadband (1979)
- Statistics (1790)
- 4G (1670)
- Virgin Media (1625)
- Ofcom Regulation (1467)
- Fibre Optic (1396)
- Wireless Internet (1393)
- FTTH (1382)
Please… it’s not a one off.
They keep sending bills to my office for an active service we’ve never had.
Every 3months I advise them that either they are making an error or not stopping a fraudulent account.
They say they’ll investigate it and then I get another bill at a later date.
Reminds me of Barclays. I was about to close the account so wanted to download the statement history. I just downloaded my statements and noticed along with mine, some of them belonged to someone else. They weren’t super interested though for some reason.
Ye I reported the came thing and they were very just ok well no. Problem
It has been 99.9% impossible to contact talktalk for months as they hide behind covid excuses to cut customer services staff. They give a number which only takes you through an automated service. The online chat hasn’t worked for months. Most of their email addresses either don’t work or they just don’t reply. It took me months to get a problem fixed which was a simple fix of a new router. Worst customer service I have ever seen. You just can’t contact them. I eventually got my problem fixed after I contacted the CEO.
I had the same problem with them,was paying 41 pound a month for nothing.Cancelled my contract as they broke it, now hounding me for Money lol
Had the same issue in October last year. I saw someone’s account including devices connected to their router. Reported to TalkTalk. They did nothing about it. Thankfully I left them within 30 days (mainly for different reasons but thus definitely contributed). Are you able to share ICO’s reference? I’d love to report my case too and I think it would be great to link them.
Been with talk talk from the 2/3/21 and still can’t use my phone.
This would be severe security breach and as such a not fit for a telecom service, hence a breach of contract, in which case the user should cancel the contract with TalkTalk immerdiately. Perhaps also report it to the ICO, too?
I have reported my landline a few times they keep sending me a link to report done this 3 times said issues and they will let me know when fixed won’t hold my breath on that 1. I will be changing providers
Calamity Dido moved from Talk Talk to take charge of the NHS COVID Test and Trace programme. That has been a failure too.
Yeah funnily enough they had an issue with contacts and details too didn’t they. Using such state of the art technology to parse millions of people’s details. An Excel workbook.
I had been with talktalk for 5 years. Then had a fault on the phone line which meant they had to divert my calls to my mobile. 5 months later and hours spent trying to talk to someone who could understand plain english I have moved to vodaphone.
You have went from bad to worse sadly, both companies customer service are shockingly bad
I don’t understand how this error is possible. If, say, the account number is the primary key the database will ensure that it’s unique among the customer records. One example is Oracle’s unique constraint which is an integrity constraint that ensures the data stored in a column, or a group of columns, is unique among the rows in a table.
Bearing in mind they were the stooges behind the largest data breach ever in the UK a few years ago, it seems they’re remaining true to form.
Wouldn’t touch them with a barge pole, no matter how cheap they are.
This is absolutely shocking. They need a bug bounty contact email at minimum
Typical of pretty much any company now to either leak or sell your data, I trust none of them.
Bucket shop ISP, bucket shop security.
l see not much has changed since Dido Harding got sacked and went to track and trace.. she left a mess and continued to be part of one.
friends in high places obviously….
Her husband is the MP for Weston Super Mare. And she’s into horse racing with close friend Matt Hancock.
But I’m sure her appointment was unrelated and was because of her impeccable record of making a dog’s dinner out of everything she turns her hand towards.
This government is a festering carcass of corruption. I hope Dido’s bank details get leaked and a Nigerian online fraud ring rinse her dry. It would be the least that karma could do.
Not surprised, the security at TalkTalk has always been an issue. However, you can’t expect customer service staff to handle it properly. It’s probably better to try to speak to their managers as they would be more capable of handling it.
Pretty sure disclosing the vulnerability information on deep web would wake them up as well.
Have had a problem with my talktalk plus box for months. Recordings freezing when playing back, live TV just goes blank.
Complained by letter after several chat line discussions. Same advice, reset your box. Issue persists, then a promise of sending a new box which never arrived. Still waiting for a response to my letter. Terrible service after being with them years. They have gone downhill recently.
My parents are elderly and recently joined talktalk they have been left with no phone or Internet. I think it disgusting that the only advice they gave me was to reset router no mention of phone. Im going to report to ombudsman to get contract terminated.
I have spent months trying to cancel my account, even had a debt collectors letter for a “service” that has never existed. They failed to “go live” when I moved house and I rang them to cancel. Ten days later my father started a new contract, unfortunately with them, yet they have still charged me for the last 5 months. Absolute joke of a company, spent hours on the phone and still not sorted.
After complaining 5 times and pointless credits costing TalkTalk up to £165 yes thats right I’ve only paid talktalk £19 since November as the broadband was free for 3 months so was just paying for anytime calls.
Anyway the service has never worked well and I found a cheaper deal with Vodafone and guess what it works very well!
Also demand to leave early without a penalty. I asked for that and they decided to let me go with no penalty!
They recently hired Mic Holden Head of Transformation who already screwed quite a few companies, wish them good luck.
Why is anyone surprised Talktalk operate on end of life out of support operating systems and freeware. Carry hundred of thousands of known vulnerabilities that they won’t/can’t remediate. Gdpr, pci, standard security controls disregarded. MD of Security and Change and It Ops Director being moved on in the regular rounds of restructuring. Trust them with your data at your peril.
Ah, finally a taste of normality, Talk Talk screwing customers about …
TalkTalk had a big outage in London and the surrounding area last night,we were without internet from around 21.15 onwards. They are honestly a terrible company. Their help lines are staffed by idiots in the Philippines,it’s impossible to get to speak with a sensible person and the company couldn’t care less.
When my contracts up I shall abandon having a traditional phone and just use mobiles,then move the internet to another company. I have has enough of them.As fo the regulator Ofcom, I suspect all the do is act the fool and draw there salaries
WHEN TRYING TO LOG IN i WAS ASKED FOR A PASSWORD i HAD NOT BEEN ASKED BEFORE AND DID NOT HAVE ONE i WAS SENT AN TEXT TO AN old MOBILE I HAD HAC CHANGED BOTH MY SUPPLIER AND MOBILE NUMBER, THEY OFFERRED TO SEND ME A TEXT BUT NOMINATED MY OLD NUMBER WHICH I HAD PREVIOUSLY INFORMED THEM OF, i COULD NOT GET ANY SENSE OUT OF AUTOMATIC ANWERS AND HUMAN CONTACT NON ONE COULD GRASP THE PROBLEM AND i WAS SHUNTED AROUND FOR TWO DAYS UNTIL THREE DAYS PRIOR TO THE MONTH END i RAN OVER MY CALL LIMIT ALL THROUGH MY MANY FRUSTRATING CALLS TO THEM NEVER AGAIN ONCE THIS IS SORTED